There is one keystore per database.
From the Oracle Documentation:
"A software keystore is a container that stores the Transparent Data Encryption master encryption key."
By "container", Oracle means either
* a software keystore
* a hardware module security (HSM) keystore
* Oracle Key Vault keystore (separately licenced)
Personally I have only used software keystores, which is the equivalent of keeping the keystore as a file on a file system, or a file on an ASM disk group.
How is the keystore located by by the database?
"the database locates this keystore by checking the keystore location that you define in the sqlnet.ora file."
Example of sqlnet.ora from my own environment:
# WALLET_OVERRIDE is only applicable when using auto login, set to FALSE
SQLNET.WALLET_OVERRIDE = FALSE
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = FALSE
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/oracle/admin/proddb01/wallet)
)
)
SSL_CIPHER_SUITES = (SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA)
Now that the keystore is defined, you can log into the database to create and open the keystore.
Finally, you set the TDE master encryption key.
After that, you can encrypt the data.
See my post Quick guide to set up Transparent Data Encryption for a tablespace for examples on how to set it up.
No comments:
Post a Comment