Enabling TDE in New PDB database.
----------------------------------------------
1. Check if the keystore is already open in the PDB.
a) set lines 200
col DATABASE_HOST for a30;
col HOST_NAME for a15;
col DATABASE_ROLE for a10
col OPEN_MODE for a10
col STARTUP_TIME for a20
SELECT i.HOST_NAME "DATABASE_HOST" ,i.INSTANCE_NAME "DB_NAME", .DATABASE_ROLE " DATABASE_ROLE", d.OPEN_MODE " OPEN_MODE ", STARTUP_TIME from GV$DATABASE d, gv$instance i where i.INST_ID=d.INST_ID;
DATABASE_HOST DB_NAME DATABASE_ROLE OPEN_MODE STARTUP_TIME
-------------------------- ---------------- ------------------------ ------------ ----- ---------------------
vm19rac1.localdomain wallcdb1 PRIMARY READ WRITE 10-FEB-21
vm19rac2.localdomain wallcdb2 PRIMARY READ WRITE 10-FEB-21
b) Connect to PDB and check the keystore status
SQL> alter session set container=EVAAPDB;
Session altered.
SQL> show con_name;
CON_NAME
------------------------------
EVAAPDB
set lines 200
col wrl_parameter for a25
col wrl_type for a19
select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
------------------- ------------------------- --------------------------------- -------------------- --------- -------- ------ASM OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNITED UNDEFINED 4
2. If its not open, you can Open the keystore in that PDB
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY Welcome1;
3. Now generate master encryption key for the PDB
SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE IDENTIFIED BY Welcome1 WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY Welcome1 WITH BACKUP;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY Welcome1 WITH BACKUP
*
ERROR at line 1:
ORA-28417: password-based keystore is not open
So use FORCE KEYSTORE
SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY Welcome1 WITH BACKUP;
keystore altered.
Check the status again.
set lines 200
col wrl_parameter for a25
col wrl_type for a19
select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------- ------------------------- ------------------------------ -------------------- --------- -------- --------- ----------
ASM OPEN AUTOLOGIN SINGLE UNITED NO 4
4. Now Create a Encrypted tablespace
SQL> CREATE TABLESPACE ENCRYPTED_TS_ENCRYPTED DATAFILE '+DATA' SIZE 100M AUTOEXTEND ON maxsize 1G ENCRYPTION USING 'AES256' DEFAULT STORAGE(ENCRYPT);
Tablespace created.
SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME ENCRYPTED
------------------------------ ------------------
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
UNDOTBS2 NO
ENCRYPTED_TS NO
ENCRYPTED_TS_ENCRYPTED YES
8 rows selected.
5. Check and change the parameter, encrypt_new_tablespaces to ALWAYS.
SQL> show parameter encrypt;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces string CLOUD_ONLY
SQL> alter system set encrypt_new_tablespaces=always scope=both sid='*';
System altered.
SQL> show parameter encrypt;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces string ALWAYS
6. Check the tablesapces and ENCRYPT ONLINE
6a) Check the current encrypted tablespaces as below
SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME ENCRYPTED
------------------------------ ------------------
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
UNDOTBS2 NO
ENCRYPTED_TS NO
ENCRYPTED_TS_ENCRYPTED YES
6b) Encrypt the tablespace ONLINE as below.
SQL > alter tablespace ENCRYPTED_TS ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
Tablespace altered.
6c) Check the current encrypted tablespaces again as below
SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME ENCRYPTED
------------------------------ ------------------
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
UNDOTBS2 NO
ENCRYPTED_TS YES
ENCRYPTED_TS_ENCRYPTED YES
8 rows selected.
No comments:
Post a Comment