Tag Archives: encryption

Creating a Secure External Password Store (SEPS)

EXACC, OCI, Oracle, TDE, , , , ,

This assumes that you’re in an environment with TDE already enabled (such as in Oracle Cloud at Customer).

When you clone a database you have to enter the encryption password – you may want to avoid doing this if you are executing this from scripts as hardcoded values will make them less general purpose.

SQL> create pluggable database tryout from mpdb;
create pluggable database tryout from mpdb
*
ERROR at line 1:
ORA-46697: Keystore password required.

Create a directory on all nodes of the cluster to hold your keystore as oracle – This directory should be available to all nodes in the cluster, and should be under WALLET_ROOT

Locate WALLET_ROOT on your system

SQL> show parameter wallet_root

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string      /var/opt/oracle/dbaas_acfs/MEL
                                                 ECB/wallet_root

Create a directory called ‘tde_seps’ under WALLET_ROOT. This is a shared filesystem on EXACC so no additional work required to make it accessible to all instances.

 mkdir /var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps

Set the database to use the external keystore on all instances.

SQL> alter system set external_keystore_credential_location='/var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps' scope=spfile sid='*';

Restart the database

$ srvctl stop database -d MELECB
$ srvctl start database -d MELECB

Once the DB has restarted create the external wallet and give the password for your DB

SQL> Administer key management add secret 'ATPwelcome--1234' for client 'TDE_WALLET' to auto_login keystore '/var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps' ;

Check the file has been created

SQL> !ls /var/opt/oracle/dbaas_acfs/MELECB/wallet_root/tde_seps
cwallet.sso

create pluggable database sepskey from MPDB
keystore identified by external store;

SQL> alter pluggable database sepskey open instances=all;

Pluggable database altered.


SQL> alter session set container=sepskey;

Session altered.

SQL> administer key management set key force keystore identified by external store with backup;

keystore altered.

See this useful blogpost for more useful info :- https://database-heartbeat.com/2020/12/31/enable-tde-auto-login-wallet-and-secure-external-password-store-seps/