In a multitenant environment where you want to use Transparent Data Encryption (TDE), you can do it in two ways:
- United keystore mode. The default option. The CDB has a keystore, and all PDBs use that keystore. The encryption keys belong to each individual PDB, but the one keystore contains all the encryption keys.
- Isolated keystore mode. Became available with 19.11.0 and in later versions. The CDB has a keystore that all PDBs can use, but you can configure a PDB to use its own keystore. If a PDB uses TDE in isolated mode, that PDB will physically have its own keystore, where only the TDE encryption keys get stored. PDBs that are not configured to use isolated mode, will put the encryption keys into the keystore of the CDB. Isolated mode is fairly new and is not fully supported yet by AutoUpgrade, OCI tooling, and other tools.
United mode is the easy way of doing things. You configure one keystore and then all PDBs can use that keystore.
Isolated mode is suitable when you want to completely isolate the PDBs and even keep the encryption keys separate. Moreover, you can have different passwords protecting the keystores. Isolated mode strengthens security but adds maintenance overhead; more keystores to backup and protect). Additionally, in isolated mode, each PDB can use a different kind of keystore. The CDB can use a software keystore (a file in the OS), PDB1 can use its own software keystore (another file in the OS), and PDB2 can store its encryption keys in Oracle Key Vault. More security and more flexibility.
Regardless of which keystore mode you plan to use, you always start by configuring TDE in united mode in the CDB. Afterward you can enable isolated mode in individual PDBs, if you want that.
How To Configure TDE
This procedure enables TDE in united mode. I will use a software keystore (a file in the OS):
Create a directory where I will place the keystore. You can change $ORA_KEYBASE to another location.
export ORA_KEYBASE=$ORACLE_BASE/admin/$ORACLE_SID/wallet #Don't change ORA_KEYSTORE export ORA_KEYSTORE=$ORA_KEYBASE/tde mkdir -p $ORA_KEYSTORE
WALLET_ROOTto tell the database where I want to create the keystore files, and
TDE_CONFIGURATIONto tell the database to use a software keystore:
alter session set container=cdb$root; alter system set wallet_root='$ORA_KEYBASE' scope=spfile; shutdown immediate startup alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE' scope=both;
Now create the keystore and a TDE encryption key for CDB$ROOT. My TDE keystore password is oracle_4U; you should pick a better password:
administer key management create keystore '$ORA_KEYSTORE' identified by "oracle_4U"; administer key management set keystore open force keystore identified by "oracle_4U"; administer key management set key identified by "oracle_4U" with backup;
You can optionally use the
CONTAINERS=ALLclause to set a TDE encryption key in all PDBs. Don’t do this if you plan on using isolated keystore later on:
administer key management create keystore '$ORA_KEYSTORE' identified by "oracle_4U"; administer key management set keystore open force keystore identified by "oracle_4U" container=all; administer key management set key identified by "oracle_4U" with backup container=all;
Optionally, create an auto-login keystore. If you don’t, you must manually input the TDE keystore password every time the database starts.
administer key management create local auto_login keystore from keystore '$ORA_KEYSTORE' identified by "oracle_4U";
That’s it. You can now start to create encrypted tablespaces:
create tablespace ... encryption encrypt;
I have now created the root keystore in the location defined by
WALLET_ROOT. The database automatically adds a subfolder called tde. In that folder you find ewallet.p12 which is the actual software keystore of the CDB, and cwallet.sso which is the auto-login keystore:
$ pwd /u01/app/oracle/admin/CDB2/wallet/tde $ ll total 8 -rw-------. 1 oracle dba 4040 May 16 09:35 cwallet.sso -rw-------. 1 oracle dba 3995 May 16 09:35 ewallet.p12
Configure Isolated Keystore
You can enable isolated mode in a PDB after you configure the CDB for united mode (the above procedure). The following assumes that TDE has not been configured yet in PDB1:
- Switch to the PDB and configure
ALTER SESSION SET CONTAINER=PDB1; ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH;
- Create the keystore and a TDE encryption key for the PDB. Notice I am giving my PDB keystore a different password:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "oracle_4U2"; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN FORCE KEYSTORE IDENTIFIED BY "oracle_4U2"; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "oracle_4U2" WITH BACKUP;
- Optionally, create an auto-login keystore of the PDB keystore. If not, you need to manually input the TDE keystore password in the PDB every time it starts:
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "oracle_4U2";
The PDB keystore is now placed in a subfolder of
WALLET_ROOT matching the PDB GUID (D6A29777EC214B6FE055000000000001). You find similar files, ewallet.p12 and cwallet.sso in the dedicated folder for the isloated PDB keystore:
$ pwd /u01/app/oracle/admin/CDB2/wallet/D6A29777EC214B6FE055000000000001/tde $ ll total 8 -rw-------. 1 oracle dba 2120 May 16 09:37 cwallet.sso -rw-------. 1 oracle dba 2059 May 16 09:35 ewallet.p12
To get the GUID of a PDB:
select name, guid from v$containers;
The database will automatically create the directories needed for the PDB keystore.
Migrating Between Keystore Modes
If you need to migrate between the two keystore modes, there are two commands you can use. oracle_4U is the keystore password of the root keystore; oracle_4U2 is the keystore password of the PDB keystore.
To migrate a PDB from united to isolated mode, i.e., to isolate a keystore:
alter session set container=PDB1; administer key management force isolate keystore identified by "oracle_4U2" from root keystore force keystore identified by "oracle_4U" with backup;
To migrate a PDB from isolated to united mode, i.e., to unite a PDB keystore into a root keystore:
alter session set container=PDB1; administer key management unite keystore identified by "oracle_4U2" with root keystore force keystore identified by "oracle_4U" with backup;
To determine which keystore mode is in use:
select con_id, wrl_parameter, keystore_mode from v$encryption_wallet;
If you want to use isolated keystore mode in 19.11, 19.12 or 19.13 you need to apply patch 32235513 as well. From 19.14 and onwards this is not needed.
Isolated mode used to be a cloud-only feature. But since 19.11 it has been made available to everyone.