This assumes that you’re in an environment with TDE already enabled (such as in Oracle Cloud at Customer).
When you clone a database you have to enter the encryption password – you may want to avoid doing this if you are executing this from scripts as hardcoded values will make them less general purpose.
SQL> create pluggable database tryout from mpdb;
create pluggable database tryout from mpdb
*
ERROR at line 1:
ORA-46697: Keystore password required.
Create a directory on all nodes of the cluster to hold your keystore as oracle – This directory should be available to all nodes in the cluster, and should be under WALLET_ROOT
Locate WALLET_ROOT on your system
SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /var/opt/oracle/dbaas_acfs/MEL ECB/wallet_root
Create a directory called ‘tde_seps’ under WALLET_ROOT. This is a shared filesystem on EXACC so no additional work required to make it accessible to all instances.
mkdir /var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps
Set the database to use the external keystore on all instances.
SQL> alter system set external_keystore_credential_location='/var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps' scope=spfile sid='*';
Restart the database
$ srvctl stop database -d MELECB $ srvctl start database -d MELECB
Once the DB has restarted create the external wallet and give the password for your DB
SQL> Administer key management add secret 'ATPwelcome--1234' for client 'TDE_WALLET' to auto_login keystore '/var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps' ;
Check the file has been created
SQL> !ls /var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps
cwallet.sso
create pluggable database sepskey from MPDB
keystore identified by external store;
SQL> alter pluggable database sepskey open instances=all; Pluggable database altered.
SQL> alter session set container=sepskey; Session altered.
SQL> administer key management set key force keystore identified by external store with backup; keystore altered.
See this useful blogpost for more useful info :- https://database-heartbeat.com/2020/12/31/enable-tde-auto-login-wallet-and-secure-external-password-store-seps/