TDE Master key rotation
I would like to ask the best practice for rotating the master key for at rest encryption of oracle tablespaces.
We have a keystore wallet stored in oracle ASM. We have encrypted a number of tablesapces. When a new key is generated, is it necessary to run the command to tell oracle to use the new key?
administer key management use key 'AWmqc/+MQk/Nv3dSBLsi4CYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' IDENTIFIED BY <password> WITH BACKUP;
Also, what is the best practice for the old master key, which remains in the wallet? I understand that there is not a way to delete it and, if there was, should we?