When you encrypt your databases, you will often end up needing the keystore password to perform certain operations. For instance, cloning an encrypted PDB will require the keystore password:
CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY S3cr3t;
This is not very secure because the keystore password is now visible in clear text. Further, if you have the command in a script, ansible, cron job or the like, you will also have it there in clear text. Or, if your organization has implemented separation of duties, and the operational DBAs don’t have access to the keystore password.
Enter Secure External Password Store (SEPS)
Using the example above, what if you could just write the following:
CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY EXTERNAL STORE;
And the database would get the secret keystore password without involving you! Your problems would be solved.
That is what you can do with Secure External Password Store. Whenever you need to specify the keystore password using KEYSTORE IDENTIFIED BY you can use the EXTERNAL STORE clause, and avoid typing the password.
SEPS was introduced in 10g, however, since Oracle Database 12.2 you can store keystore credentials in it. SEPS is similar to an auto-login keystore. It is an encrypted file stored in the file system that is encrypted by a password that only the database knows. You as a DBA can’t extract the information from the database.
Configuration
First, tell the database where SEPS is located:
SQL> ALTER SYSTEM
SET EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION = '$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps'
SCOPE=SPFILE;
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP
Next, add the keystore password (in this case S3cr3t) into SEPS as a secret for the client TDE_WALLET:
SQL> ADMINISTER KEY MANAGEMENT
ADD SECRET 'S3cr3t' FOR CLIENT 'TDE_WALLET'
USING TAG 'TDE keystore password'
TO LOCAL AUTO_LOGIN KEYSTORE '$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps’;
Finally, replace the keystore password in your commands with SEPS using the EXTERNAL STORE clause:
SQL> --No longer need this
SQL> CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY S3cr3t;
SQL> --Now you can do this
SQL> CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY EXTERNAL STORE;
You can use KEYSTORE IDENTIFIED BY EXTERNAL STORE on most ADMINISTER KEY MANAGEMENT commands, like exporting and importing encryption keys, but for security reasons some ADMINISTER KEY MANAGEMENT commands still require that you type in the keystore password.
When you specify the location of SEPS, I strongly recommend that you stick to the default location,
$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps. If you are also using WALLET_ROOT parameter, then SEPS must be stored in the default location.
If you are using Oracle Key Vault or a dedicated Hardware Security Module instead of a software keystore, you can store those credentials in SEPS as well. Respectively, use CLIENT set to OKV_PASSWORD or HSM_PASSWORD.
Conclusion
You can simplify commands that involve the keystore by using SEPS. In addition, it will be more secure because you can avoid typing or hardcoding the keystore password in cleartext.
I have produced a small demo that you can watch on YouTube:
If you like the video and want more, remember to hit the subscribe button on our YouTube channel.
References
- Configuring an External Store for a Keystore Password (Oracle Database 19c: Advanced Security Guide)
Databases Are Fun 