How to Encrypt OracleTablespace
Set the Tablespace Master Encryption Key before you can encrypt or decrypt the tablespaces, you must generate or set a master encryption key.
The tablespace master encryption key is stored in an external security module and is used to encrypt the TDE tablespace encryption keys. Check to ensure that the ENCRYPTION_WALLET_LOCATION (or WALLET_LOCATION) parameter in the sqlnet.ora file points to the correct software wallet location.
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/app/wallet)))
Unified Master Encryption Key or the master encryption key for transparent tablespace encryption and transparent column encryption are now combined to one unified master encryption key. Combining these keys enables transparent re-key operations for both of these transparent data encryption features, regardless of whether the master encryption key is stored in the Oracle Wallet or in one of the certified Hardware Security Modules offered by RSA, SafeNet, Thales (including nCipher), and Utimaco.
Create the directory for the wallet:
[oracle@collabn1 ~]$ mkdir -p /u01/app/oracle/admin/wallet
Add the wallet details in the sqlnet.ora file:
[oracle@collabn1 ~]$ vi $TNS_ADMIN/sqlnet.ora
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/u01/app/oracle/admin/wallet)))
Verify the sqlnet.ora
[oracle@collabn1 ~]$ cat /u01/app/oracle/product/11.2.0.2/SHAIKPROD/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/u01/app/oracle/admin/wallet)))
Create the master encryption key & wallet:
NAME OPEN_MODE
--------- --------------------
ORCL READ WRITE
When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.
SQL> alter system set encryption key identified by "secretpass";
System altered.
Verify the wallet file is created:
SQL> !ls /u01/app/oracle/admin/wallet
ewallet.p12
Create the tablespace with the encryption:
Here: algorithm can have one of the following values:
■ 3DES168
■ AES128
■ AES192
■ AES256
SQL> create tablespace securetbs datafile '+DATA2' size 10m autoextend on next 1m
encryption using 'AES256'
default storage(encrypt);
Tablespace created.
Verify whether the tablespace encryption is enabled or not:
SQL> select tablespace_name,status,encrypted from dba_tablespaces;
TABLESPACE_NAME STATUS ENC
------------------------------ --------- ---
SYSTEM ONLINE NO
SYSAUX ONLINE NO
UNDOTBS1 ONLINE NO
TEMP ONLINE NO
USERS ONLINE NO
EXAMPLE ONLINE NO
HR_TEST ONLINE NO
TT_TEMP_SALES ONLINE NO
SECURETBS ONLINE YES
9 rows selected.
How to open/close the wallet:
SQL> alter system set encryption wallet close identified by "secretpass";
System altered.
SQL> alter system set encryption wallet open identified by "secretpass";
System altered.
Enable oracle Wallet auto_login:
You can create an auto login wallet with Oracle Wallet Manager or the orapki command-line utility. The auto login wallet allows convenient access to encrypted data across database instance restarts.
[oracle@collabn1 ~]$ which orapki
/u01/app/oracle/product/11.2.0.2/SHAIKPROD/bin/orapki
[oracle@collabn1 ~]$ orapki wallet create -wallet /u01/app/oracle/admin/wallet/ewallet.p12 -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@collabn1 ~]$ ls -lrt /u01/app/oracle/admin/wallet/
total 8
-rw-r--r-- 1 oracle dba 1573 Aug 14 02:21 ewallet.p12
-rw------- 1 oracle oinstall 1651 Aug 14 03:01 cwallet.sso
After the auto_login you don’t have to worry about opening and closing the wallet manually.
Took sometime to figure out What is HSM ?= (Hardware Security Module)
source: http://docs.oracle.com/cd/E11882_01/network.112/e40393/toc.htm