When you encrypt your databases, you will often end up needing the keystore password to perform certain operations. For instance, cloning an encrypted PDB will require the keystore password:
CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY S3cr3t;
This is not very secure because the keystore password is now visible in clear text. Further, if you have the command in a script, ansible, cron job or the like, you will also have it there in clear text. Or, if your organization has implemented separation of duties, and the operational DBAs don’t have access to the keystore password.
Enter Secure External Password Store (SEPS)
Using the example above, what if you could just write the following:
CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY EXTERNAL STORE;
And the database would get the secret keystore password without involving you! Your problems would be solved.
That is what you can do with Secure External Password Store. Whenever you need to specify the keystore password using
KEYSTORE IDENTIFIED BY you can use the
EXTERNAL STORE clause, and avoid typing the password.
SEPS was introduced in 10g, however, since Oracle Database 12.2 you can store keystore credentials in it. SEPS is similar to an auto-login keystore. It is an encrypted file stored in the file system that is encrypted by a password that only the database knows. You as a DBA can’t extract the information from the database.
First, tell the database where SEPS is located:
SQL> ALTER SYSTEM SET EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION = '$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps' SCOPE=SPFILE; SQL> SHUTDOWN IMMEDIATE SQL> STARTUP
Next, add the keystore password (in this case S3cr3t) into SEPS as a secret for the client TDE_WALLET:
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'S3cr3t' FOR CLIENT 'TDE_WALLET' USING TAG 'TDE keystore password' TO LOCAL AUTO_LOGIN KEYSTORE '$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps’;
Finally, replace the keystore password in your commands with SEPS using the
EXTERNAL STORE clause:
SQL> --No longer need this SQL> CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY S3cr3t; SQL> --Now you can do this SQL> CREATE PLUGGABLE DATABASE ... KEYSTORE IDENTIFIED BY EXTERNAL STORE;
You can use
KEYSTORE IDENTIFIED BY EXTERNAL STORE on most
ADMINISTER KEY MANAGEMENT commands, like exporting and importing encryption keys, but for security reasons some
ADMINISTER KEY MANAGEMENT commands still require that you type in the keystore password.
When you specify the location of SEPS, I strongly recommend that you stick to the default location,
$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde_seps. If you are also using
WALLET_ROOT parameter, then SEPS must be stored in the default location.
If you are using Oracle Key Vault or a dedicated Hardware Security Module instead of a software keystore, you can store those credentials in SEPS as well. Respectively, use
CLIENT set to
You can simplify commands that involve the keystore by using SEPS. In addition, it will be more secure because you can avoid typing or hardcoding the keystore password in cleartext.
I have produced a small demo that you can watch on YouTube:
If you like the video and want more, remember to hit the subscribe button on our YouTube channel.
- Configuring an External Store for a Keystore Password (Oracle Database 19c: Advanced Security Guide)