Clarification required on rotating master key encryption for Autologin keystore.
We are planning to rotate master key and I was referring the docoument "https://docs.oracle.com/en/database/oracle/oracle-database/12.2/asoag/managing-keystore-and-tde-master-encryption-key.html#GUID-B788CBF7-DB54-48D4-AB32-7AA06289153B"
Under section "4.2.5.3 About Rotating the TDE Master Encryption Key" it says you cannot change the TDE master encryption key or rotate a TDE master encryption key for an auto-login keystore
You cannot change the TDE master encryption key or rotate a TDE master encryption key for an auto-login keystore. Because auto-login keystores do not have a password, an administrator or a privileged user can change the keys without the knowledge of the security officer. However, if both the auto-login and the password-based keystores are present in the configured location (as set in the sqlnet.ora file), then when you rotate the TDE master encryption key, a TDE master encryption key is added to both the auto-login and password-based keystores. If the auto-login keystore is in use in a location that is
Under section "4.2.5.3 About Rotating the TDE Master Encryption Key" it says you cannot change the TDE master encryption key or rotate a TDE master encryption key for an auto-login keystore
You cannot change the TDE master encryption key or rotate a TDE master encryption key for an auto-login keystore. Because auto-login keystores do not have a password, an administrator or a privileged user can change the keys without the knowledge of the security officer. However, if both the auto-login and the password-based keystores are present in the configured location (as set in the sqlnet.ora file), then when you rotate the TDE master encryption key, a TDE master encryption key is added to both the auto-login and password-based keystores. If the auto-login keystore is in use in a location that is
Tagged:
0