Before Oracle Database 18c, each PDB stored its separate encryption keys in the CDB’s keystore (united mode). Starting with Oracle Database 18c Cloud environments, a PDB can optionally store its encryption keys in a separate keystore (isolated mode), thus allowing protection by a separate keystore password. This functionality is not available for on-premise environments.

The WALLET_ROOT initialization parameter must be set in order for TDE_CONFIGURATION to take effect.

^Footnote 1

In some cases when this parameter is set using ALTER SYSTEM SCOPE=SPFILE, the SHOW PARAMETER TDE_CONFIGURATION statement does not show the correct value. However, the value set for TDE_CONFIGURATION can be derived from information shown in the V$ENCRYPTION_WALLET view.

The following attributes can be specified:

• KEYSTORE_CONFIGURATION attribute. This attribute is required. The value specified with this attribute configures the keystore type for the specified PDB. The following values can be specified for this attribute:

  • FILE: This value configures a wallet keystore.

  • OKV: This value configures an Oracle Key Vault (OKV) keystore.

    This value is also used to disable an auto-login OKV configuration and cause any existing cwallet.sso files, containing the credentials to the OKV server as the OKV_PASSWORD client secret, to be ignored.

  • HSM: This value configures a Hardware Security Module (HSM) keystore.

  • FILE|OKV: This value configures a reverse migration from an OKV to a wallet keystore.

  • FILE|HSM: This value configures a reverse migration from a HSM to a wallet keystore.

  • OKV|FILE: This value configures a migration from a wallet to an OKV keystore.

    This value is also used in an auto-login OKV configuration, because in this configuration a cwallet.sso file, containing the OKV_PASSWORD client secret, must be used by the Oracle server to obtain the credentials to log in to the OKV server.

  • HSM|FILE: This value configures a migration from a wallet to a HSM keystore.

    This value is also used in an auto-login HSM configuration, because in this configuration a cwallet.sso file, containing the HSM_PASSWORD client secret, must be used by the Oracle server to obtain the credentials to log in to the HSM server.

  Some of the KEYSTORE_CONFIGURATION attribute values consist of a single word, for example, the FILE, OKV, and HSM values. The other KEYSTORE_CONFIGURATION attribute values consist of two words separated by the “|” character that is a required part of the value’s syntax, for example, the FILE|OKV, FILE|HSM, OKV|FILE, and HSM|FILE values.

  In Oracle Database releases prior to Oracle Database 18.1, keystore types were configured in sqlnet.ora using the METHOD attribute of the SQLNET.ENCRYPTION_WALLET_LOCATION parameter.

• CONTAINER attribute: This optional attribute can be used only when setting the parameter in the CDB$ROOT of a CDB. The CONTAINER attribute can be specified only when the CDB$ROOT is in MOUNTED state. With this attribute, you must specify the name of the PDB for which you are setting the parameter. When you specify the CONTAINER attribute, you must use a semicolon “;” as the separation character between the KEYSTORE_CONFIGURATION and CONTAINER attributes.

Examples

The following statement configures a wallet keystore for the open PDB from which the statement is issued:

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH SID='*';

The following statement configures an OKV keystore for the PDB in MOUNTED state from which the statement is issued:

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=OKV" SCOPE=SPFILE SID='*';

The following statement configures a HSM keystore for the ORCLPDB PDB. For this statement to succeed, the parameter must be set in the CDB$ROOT of a CDB when the CDB$ROOT is in MOUNTED state:

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM; CONTAINER=ORCLPDB" SCOPE=MEMORY SID='*';