7 Replies Latest reply on Jan 10, 2013 11:48 AM by M. Salih

    TDE question

      I logged in to Enterprise Manager with sys user, and i went at Transparent Data Encription section, under Security category. There i have created a wallet, specifying the host credentials and the wallet password (Encryption Wallet Password).

      Now, after creating and opening the wallet, i can see on TDE page:
           Encryption wallet is open. Transparent Data Encryption is enabled.
           You may now proceed with encryption of table columns or tablespaces.
      Ok, so i know the wallet password (i just typed it), but what about master encription key?
      Can someone explain me what key is this and how should i know that key? or where it is specified? Of course, the wallet CONTAINS the master encryption key.
      One is the wallet password (which i know), and one is the master encryption key.

      Also, another question: I have that tablespace 'EXAMPLE' (containing the hr, oe, and other schemas). Why, for this tablespace, the encryption option is disabled?
      So, in enterprise manager i;m here: Database Instance: orcl > Tablespaces > , in edit mode of EXAMPLE tablespace
      It's status is Read Write, but in the 'Type' section, the Encryption (and Encryption option button) is disabled.


      Edited by: Roger22 on 24.11.2012 12:13

      Edited by: Roger22 on 24.11.2012 12:22
        • 1. Re: TDE question
          Zoran Pavlovic
          Hi Roger,

          First, have you specified encryption wallet location in sqlnet.ora?

          When you created wallet, master key is automatically created and stored inside wallet. Wallet password is used to access that master key. You don't need to know master key, as you are not going to use it directly. Master key is used by TDE to encrypt table keys and tablespace keys.

          Tablespaces can be encrypted only during creation!!! So you cannot encrypt already created tablespace. You need to create new tablespace (defined as encrypted), and then move appropriate objects in that encrypted tablespace.

          You can read more here: http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

          • 2. Re: TDE question
            Thanks for reply.
            Ok, and in the 'Transparent Data Encryption' section, at Advanced Options, there is a re-key feature:

            Re-key Master Encryption Key
            The encryption module password is required to re-key the master encryption key. Re-keying should be fairly infrequent and only needs to be performed for scheduled key rotation or if the master keys have been compromised.

            So when should someone re-key the master encryption key and on which circumstances they can be compromised, if they are used internally,to encrypt the table keys, for example?

            EDIT: No, i have not specified the location of the wallet, as nobody or nothing asked me to do so. This is what i have in sqlnet.ora:
            # This file is actually generated by netca. But if customers choose to 
            # install "Software Only", this file wont exist and without the native 
            # authentication, they will not be able to connect to the database on NT.
            And in EM, i can see this:
            Encryption Security Module          WALLET
                 Wallet Location          D:\ORACLE\APP\ADMIN\ORCL\WALLET
                 Wallet Status          OPEN
            So do i need something in sqlnet.ora in this case? Is it mandatory to add in sqlnet.ora also:

            (SOURCE =
            (METHOD = FILE)
            (METHOD_DATA =

            • 3. Re: TDE question
              Re-keying is something that would be done if, for example, you believe that your wallet was compromised (for example, someone broke in to the server and could have copied the wallet).

              • 4. Re: TDE question
                So if my wallet is stolen, then the 'hacker' can access my encrypted data with this wallet, and now the security using TDE is 0, if i did not re-key the wallet.. that's what i understand :)
                • 5. Re: TDE question
                  Zoran Pavlovic
                  It is not so simple. Hacker will need to have your encrypted data, your encrypted keys and a wallet password. That's why Oracle uses two-tier key architecture. But if you ever suspect that your wallet is compromised, you should do a rekey. Also some security standards (like PCI DSS) requires periodical rekey. Then you should rekey only master key and that's it.

                  EDIT: if you haven't specified wallet location in sqlnet.ora, then Oracle uses default one. Now you don't need to enter anything.


                  Edited by: Zoran Pavlovic on Nov 26, 2012 11:13 AM
                  1 person found this helpful
                  • 6. Re: TDE question
                    M. Salih
                    Hello guys,
                    I am new to that TDE stuff and i have read the whole document that Oracle released. I have a question about generation keys. We are planning to use an HSM device instead of wallet. So, instead of master key we would like to use smart cards. Is that possible? And any document about how to?

                    Thanks in advance.


                    Edited by: user13074370 on 07.Oca.2013 01:12
                    • 7. Re: TDE question
                      M. Salih
                      yet another question... is it possible to store tablespace key in an HSM?