In Oracle Database 19c, use of sqlnet.ora to define the keystore (or wallet) location has been deprecated. Instead you should use the database parameter
WALLET_ROOT. If you upgrade to Oracle Database 19c with AutoUpgrade, it has become a lot easier. Let AutoUpgrade do the work for you.
If you instruct AutoUpgrade to use the new encryption parameters it will not only add the parameters to the SPFile but also copy the keystore file to the location defined. This is what you have to do:
- Create a text file which contains the definition of
TDE_CONFIGURATION. I call it /tmp/au-pfile-tde. Optionally, change the location of the keystore to fit your organization.
- Instruct AutoUpgrade to add those parameter during and after upgrade. Add the following to your AutoUpgrade config file:
That’s it! AutoUpgrade will detect that you are changing the keystore location, and it will copy the keystore files to the new location at the appropriate time.
Important: When you use
WALLET_ROOT the keystore files should always be stored in a subfolder called tde. This means that the keystore files will end up in /etc/oracle/keystores/$ORACLE_SID/tde.
You should not add /tde manually to
WALLET_ROOT. The database will do that automatically when it looks up the keystore.
Since you have moved the keystore files to a new location there are some things that you should take care of:
- You can remove the sqlnet.ora parameter
ENCRYPTION_WALLET_LOCATION. It is not used anymore.
- The keystore files that were stored in the old location (that defined by
ENCRYPTION_WALLET_LOCATION) can be moved manually to a backup location. I would never recommend that you delete keystore files – NEVER! Instead move the old files to a backup location and keep them there.
- The keystore files are to be considered critical and contain sensitive information, so ensure that the new location has the same security measures as the old one – like:
- Restricted file permissions
Traditionally, if you have an encrypted database, you need to define the keystore location in sqlnet.ora using the parameter
ENCRYPTION_WALLET_LOCATION. You would set it to something like this:
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/etc/oracle/keystores/$ORACLE_SID)))
For many reasons, sqlnet.ora was not a good location for this parameter, and especially with the introduction of isolated keystore mode, a new method was needed.
TDE_CONFIGURATION database initialization parameters. The former,
WALLET_ROOT, defines the location of the keystore. The latter,
TDE_CONFIGURATION, defines which kind of keystore is in use. Typically, it is set to
FILE – that’s when you use a software keystore (a file in the OS). But it could also be
OKV if you are Oracle Key Vault.
For a software keystore you would set it to something like:
ALTER SYSTEM SET WALLET_ROOT='/etc/oracle/keystores/$ORACLE_SID' SCOPE=SPFILE; ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=FILE' SCOPE=SPFILE; SHUTDOWN IMMEDIATE STARTUP
Now, the database finds the keystore location using the
WALLET_ROOT parameter which is much more smooth.
As of Oracle Database 19c, configuration the keystore using sqlnet.ora has been deprecated, and as with any other deprecated functionality, you should move to a fully supported alternative.
- Blog post: TDE from a Non-Security Guy
- Blog post: How to Stop Hardcoding Your TDE Keystore Password
- My Oracle Support: Latest version of AutoUpgrade
- Documentation: Configuring a Software Keystore
- Documentation: Security Considerations for Transparent Data Encryption