TDE encryption setup for migrating on-premise backup to Oracle cloud using RMAN

TDE encryption setup for migrating on-premise backup to Oracle cloud using RMAN

This note describe how we can configure TDE encryption for RMAN backup in on-premise database to migrate to Oracle cloud.

1.First I need to update sqlnet.ora with proper location where my wallet will reside to enable TDE encryption.

# sqlnet.ora Network Configuration File: /u01/app/oracle/product/12.2.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, ONAMES, HOSTNAME)
 ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
 (METHOD=FILE)
 (METHOD_DATA=
 (DIRECTORY=/var/opt/oracle/hdg/tde_wallet)
 )
 )

SQLNET.ENCRYPTION_SERVER = requested

SQLNET.ENCRYPTION_TYPES_SERVER = (RC4_256, AES256)

SQLNET.ENCRYPTION_CLIENT = requested

SQLNET.ENCRYPTION_TYPES_CLIENT = (RC4_256, AES256)

2.Now I need to create the directory and restart the listener.

mkdir -p /var/opt/oracle/hdg/tde_wallet

3.Connect to the root container and create the keystore. Please restart database if you find nothing in v$encryption_wallet.

SQL> administer key management create keystore '/var/opt/oracle/hdg/tde_wallet' identified by manager123;

keystore altered.

SQL> administer key management set keystore open identified by manager123;

keystore altered.

SQL> administer key management set key identified by manager123 with backup using 'TDE';

keystore altered.

If you want to enable autologin,you can do below

SQL> administer KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM keystore '/u01/app/oracle/tde_wallet' identified by manager123;

keystore altered.

For special case,where you deleted the old keystore , you need to do following step

QL> administer key management create keystore '/u01/app/oracle/local/wallet_orcl' identified by manager123;

keystore altered.

SQL> select CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from v$encryption_keys;

no rows selected

SQL> ALTER SYSTEM SET "_db_discard_lost_masterkey"=TRUE SCOPE=MEMORY;

System altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY manager123;

keystore altered.

4.If you have PDB,you need to connect to PDB and check whether auto login is enabled from PDB

SQL>alter session set container=PDB1;

SQL> select * from v$encryption_wallet;

FILE
OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNDEFINED
4

You can see OPEN_NO_MASTER_KEY which will create problem during backup after setting encryption.

SQL> alter tablespace system ENCRYPTION online using 'AES256' encrypt FILE_NAME_CONVERT = ('system01.dbf', 'system01_encrypt.dbf');
 alter tablespace system ENCRYPTION online using 'AES256' encrypt FILE_NAME_CONVERT = ('system01.dbf', 'system01_encrypt.dbf')
 *
 ERROR at line 1:
 ORA-28374: typed master key not found in wallet

Now please follow below step to resolve .This step is valid for 12.2:-

SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY manager123 with backup;

keystore altered.

SQL> select * from v$encryption_wallet;

FILE 
OPEN AUTOLOGIN SINGLE NO
 4

5.Convert non-encrypted tablespace to encrypted online in 12.2 to support TDE encryption.

SQL> alter tablespace system ENCRYPTION online using 'AES256' encrypt FILE_NAME_CONVERT = ('system01.dbf', 'system01_encrypt.dbf');

Tablespace altered.