TDE for Oracle Database

Download the Akeyless PKCS#11 file to your Oracle server:

curl -o libakeyless.so https://akeylessservices.s3.us-east-2.amazonaws.com/services/pkcs11/release/linux/amd64/latest/libakeyless.so

And set the following permissions and folders:

mkdir -p /opt/oracle/extapi/64/hsm/akeyless/0.0.1/ && \
cp libakeyless.so /opt/oracle/extapi/64/hsm/akeyless/0.0.1/. && \
chown -R oracle:dba /opt/oracle && \
mkdir /logs && \
chown -R oracle:dba /logs

With a privilege user permission on your Database server, create the following file:

touch /var/akeyless/conf/pkcs11.conf

Edit the created pkcs11.conf file and set the following:

log_level="info"
log_path="/logs/pkcs11.log"
akeyless_url="https://<your-Akeyless-Gateway-URL>:8081"
default_aes_mechanism="CBC"
base_item_path="/pkcs11"
[auth]
access_type="access_key"
access_id="<Access Id>"
access_key="<Access Key>"

Where:

  • akeyless_url is your Akeyless Gateway URL on API port 8081.

  • base_item_path - The destination path, to save all your TDE encryption keys inside the Akeyless Platform. Ensure your Authentication Method has permission to create and manage items under the desired path.

  • The [auth] section should be set with the relevant Authentication Method type and settings. Using the same structure as the Akeyless CLI profile setting file.

  • default_aes_mechanism - Set the type of AES encryption keys. Oracle supports only CBC.

Optional:

  • customer_fragment_id - Relevant Customer Fragment ID for Zero-Knowledge Encryption.

  • split_level - Defines the requested split level. By default, split level set with 2.

  • [syslog] Section can be added, to set the destination Syslog server settings:

    • network - Either TCP or UDP
    • url - Syslog server URL.

Set the relevant permission on the pkcs11.conf file for your oracle user & group :

chown -R oracle:dba /var/akeyless/conf/pkcs11.conf

Edit the sqlnet.ora file under $ORACLE_HOME/network/admin/sqlnet.ora where $ORACLE_HOME is your oracle user home directory.

For docker setup, the file location is /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora

Add the following line to set your Oracle wallet:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

πŸ‘

Note

Starting from Oracle version 18C/19C, before running the commands below, you need to first complete the steps below to set the keystore

  1. Create a directory, called wallet, in the $ORACLE_BASE/admin/db_unique_name directory.
  2. Log in to the database as a user with the SYSDBA administrative privilege.
  3. Set the WALLET_ROOT parameter.
alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;
  1. Shut down and start up the database.
shutdown immediate;
startup;
  1. Set the TDE_CONFIGURATION parameter as follows:
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;

Encrypting Tablespaces

Login to your Oracle DB, and run the following commands to create a wallet and a master encryption key:

administer key management set keystore open identified by "akeyless";
administer key management set key identified by "akeyless";

Run the following commands to create an encrypted tablespace:

CREATE TABLESPACE encrypt_ts
  DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
  ENCRYPTION USING 'AES128'
  DEFAULT STORAGE (ENCRYPT);

Run the following commands to create an encrypted table:

CREATE TABLE my_table (
    person_id NUMBER GENERATED BY DEFAULT AS IDENTITY,
    first_name VARCHAR2(50) NOT NULL,
    last_name VARCHAR2(50) NOT NULL,
    PRIMARY KEY(person_id)
)  TABLESPACE encrypt_ts;

πŸ‘

Note

To migrate a database with an existing file-based wallet, follow these steps:

  1. Set the TDE configuration:
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" SCOPE=both SID='*';
  1. Migrate the encryption key:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "akeyless" MIGRATE USING "<old file based tde password>" WITH BACKUP;

Ensure to replace with the appropriate password.