• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Create an Encrypted Tablespace in Oracle 12c Pluggable Database

by admin

Question: How to create an encrypted tablespace in a 12c pluggable database of multi tenant DB?

To create an encrypted tablespace in a 12c pluggable database requires some additional steps as compared to previous version 11g. The reason is by default the wallet does not hold a tablespace key for the pluggable databases.

1. Set parameter encryption_wallet_location in sqlnet.ora

Example sqlnet.ora:

# sqlnet.ora Network Configuration File: /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ENCRYPTION_WALLET_LOCATION =
  (source =
    (method = file)
    (method_data =
      (directory = /u01/app/oracle/product/12.1.0/dbhome_1/network/admin)))

2. Create the encryption wallet while connected to the container db:

sql> alter system set encryption key identified by "welcome1";

Example wallet contents after initial wallet creation:

$ mkstore -wrl . -list
Oracle Secret Store Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:           
   
Oracle Secret Store entries: 
ORACLE.SECURITY.DB.ENCRYPTION.AX/6LjyVSU+Bv0HWal3oaDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.TS.ENCRYPTION.BSrBWdkVPE/wvzv5Me2Wk4UCAwAAAAAAAAAAAAAAAAAAAAAAAAAA

3. It is required to backup the wallet before attempting any change:

administer key management backup keystore identified by "welcome1";

4. Connect to the pluggable database and first open the wallet:

administer key management set keystore open identified by "welcome1";

If at this point it would be attempted to create an encrypted tablespace from within the pluggable database, it will fail as follows:

sql> create tablespace data datafile
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet

5. Connect to the pluggable database and rekey the master key:

administer key management set key identified by "welcome1";

Example directory listing after creating the backup wallet and the rekey operation:

$ pwd
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin
$ ls -ltr
total 36
-rw-r--r-- 1 oracle dba  407 Jan 19  2012 shrept.lst
drwxr-xr-x 2 oracle dba 4096 Jun 25 09:48 samples
-rw-r--r-- 1 oracle dba  349 Jun 25 09:57 listener.ora
-rw-r----- 1 oracle dba  552 Jun 25 11:11 tnsnames.ora
-rw-r--r-- 1 oracle dba  352 Jun 25 12:13 sqlnet.ora
-rw-r--r-- 1 oracle dba 3112 Jun 25 12:15 ewallet.p12_initial
-rw------- 1 oracle dba    0 Jun 25 12:35 ewallet.p12.lck
-rw------- 1 oracle dba    0 Jun 25 12:35 cwallet.sso.lck
-rw-r--r-- 1 oracle dba 3112 Jun 25 12:38 ewallet_2013062510380429.p12
-rw-r--r-- 1 oracle dba 6768 Jun 25 12:38 ewallet.p12
Note: file ewallet.p12_initial is a manual backup, it appears to be a binary equivalent of the system generated backup file ewallet_2013062510380429.p12

Example wallet contents after rekey operation from pluggable database:

$ mkstore -wrl . -list
Oracle Secret Store Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:           
   
Oracle Secret Store entries: 
ORACLE.SECURITY.DB.ENCRYPTION.AahtI+TGak8lv2sItl3/9vsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AX/6LjyVSU+Bv0HWal3oaDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.DFF72E37E69844F4E0430100007F6F6C
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AahtI+TGak8lv2sItl3/9vsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AX/6LjyVSU+Bv0HWal3oaDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BSrBWdkVPE/wvzv5Me2Wk4UCAwAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.TS.ENCRYPTION.BZg3bagsiU+Zv9n6FAseqV4CAwAAAAAAAAAAAAAAAAAAAAAAAAAA

6. Now the encrypted tablespace can be created:

SQL> @enc_ts

Tablespace created.

SQL> l
  1  create tablespace data datafile
  2   '/u01/oradata/v1201/pdb1/data01.dbf' size 100m encryption using 'AES256'
  3* default storage(encrypt)
SQL>
SQL> connect system/manager1@pdb1
Connected.
SQL> select tablespace_name , encrypted from dba_tablespaces;

TABLESPACE_NAME                ENC
------------------------------ ---
SYSTEM                         NO
SYSAUX                         NO
TEMP                           NO
USERS                          NO
EXAMPLE                        NO
DATA                           YES

6 rows selected.

Filed Under: oracle, oracle 12c

Some more articles you might also be interested in …

  1. Log file locations for Enterprise Manager Cloud Control 13c (OMS)
  2. Warning: ORA-16829: fast-start failover configuration is lagging
  3. When to Use Startup/Shutdown Database and Alter Database Command in Oracle 12c
  4. How to Create or Remove Restore Point on Oracle Standby database
  5. Basics of client connectivity in Oracle Data Guard configuration
  6. ORA-19554: error allocating device, device type: SBT_TAPE, device name:
  7. How to Disable os-prober in CentOS/RHEL 7
  8. Oracle RMAN 11g New Feature – MultiSection Backups
  9. CentOS / RHEL : Installing and Configuring ASMLib
  10. DNS and DHCP Setup Example for Oracle Grid Infrastructure GNS

You May Also Like

Primary Sidebar

Recent Posts

  • qm Command Examples in Linux
  • qm wait Command Examples in Linux
  • qm start Command Examples in Linux
  • qm snapshot Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright