Transparent Data Encryption Using Oracle Wallet

Transparent Data Encryption (TDE) provided by Oracle database enables us to encrypt data that are stored in tables. Oracle database decrypts such data for applications and users who have access to the data. Below, let us see how we can configure the database to implement TDE.

Directory to Store Oracle Wallet File

Oracle Wallet files are by default stored under one of the two locations. If ORACLE BASE is not set, then, ORACLE HOME will be preferred.

where

db_unique_name
is the database unique name identified by db_unique_name parameter.
Create Wallet

To create Wallet, use the mkstore command. Provide the location where Wallet file will be stored. Here, it is wallet directory under ORACLE_BASE. Be ready to provide the password when prompted. This password will be used to encrypt the data. So, make sure that you remember the password.

$ORACLE_HOME/bin/mkstore \
  -wrl $ORACLE_BASE/admin/<db_unique_name>/wallet \
  -create
  <Password prompt appears here>
Edit sqlnet.ora for Wallet Configuration
vi $ORACLE_HOME/network/admin/sqlnet.ora

ENCRYPTION_WALLET_LOCATION =
   (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA = (DIRECTORY = ORACLE_BASE/admin/db_unique_name/wallet))
   )   
Generate Master Key

Connect to database and use alter syste set encryption key statement to set master key for Oracle Wallet as below.

. oraenv
<oracle_sid>

sqlplus / as sysdba

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>;
How to open the wallet
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "<password>";
How to close the wallet
SQL> ALTER SYSTEM SET WALLET CLOSE IDENTIFIED BY "<password>";
Comments