Configuring Transparent Data Encryption (TDE) with Oracle Key Vault (OKV) as the keystore in Oracle 19c Database

This guide focuses on configuring Transparent Data Encryption (TDE) with Oracle Key Vault (OKV) as the keystore in Oracle 19c, eliminating local file wallets.

Prerequisites

1. Oracle Key Vault (OKV) is installed and accessible (default port 5696).
2. Oracle Database 19c (supports TDE_CONFIGURATION=OKV).
3. sysdba privileges and OKV administrator access.
4. WALLET_ROOT must be configured (required for TDE in 19c).

Step 1: Configure the Database for OKV Integration

1.1 Set WALLET_ROOT and TDE_CONFIGURATION

• Set WALLET_ROOT (static parameter, requires restart):

ALTER SYSTEM SET WALLET_ROOT='/u01/app/oracle/wallets' SCOPE=SPFILE;        

• Set TDE_CONFIGURATION :

ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=OKV' SCOPE=BOTH;        

• Restart the database:

SHUTDOWN IMMEDIATE;
STARTUP;        

Note: In Oracle 19c, TDE_CONFIGURATION replaces deprecated sqlnet.ora settings for wallet location.

Step 2: Enroll the Database in Oracle Key Vault

2.1 Install and Configure the OKV Client (okvutil)

• Download the okvutil package from the OKV web server (assuming your Oracle database server is already enrolled with OKV).

• Unzip the package and set up the environment:

unzip okvrestcli-<version>.zip -d /opt/oracle/okv
export OKV_HOME=/opt/oracle/okv
mkdir -p $OKV_HOME/conf        

• Create an okvclient.ora file in the $OKV_HOME/conf directory with the OKV server details:

OKV_REST_SERVER=https://<OKV_IP>:5696
OKV_WALLET_ROOT=$WALLET_ROOT/okv  # Align with WALLET_ROOT        

2.2 Enroll the Database as an OKV Endpoint

• Generate an Enrollment Token:Use the OKV client utility to create an endpoint and generate a token. (Ensure you use the correct okvutil command consistently.)

okvutil endpoint create --generate-token --unique-alias <DB_UNIQUE_NAME>        

• Use the token generated in the previous step to deploy the wallet:

okvutil deploy --token <generated_token>        

Step 3: Create the TDE Master Encryption Key in OKV

3.1 Generate the Master Key

Open the Keystore (if not already open):

• Before creating a key, make sure the keystore is open. If needed, manually open it with:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY '<OKV_WALLET_PASSWORD>';        

Generate the Master Key:

• Create the TDE master key in OKV. For CDB/PDB environments, append CONTAINER=ALL if you want the key available across all pluggable databases.

ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG 'TDE_MASTER_KEY_19C' IDENTIFIED BY '<OKV_WALLET_PASSWORD>' [CONTAINER=ALL];        

• Note: Replace <OKV_WALLET_PASSWORD> with the password you set during OKV enrollment. Ensure the keystore is open before issuing this command.

3.2 Verify Key Creation

Check for the key in OKV via the console (navigate to Security Objects > Keys) and in the database:

SELECT KEY_ID, TAG, CREATION_TIME FROM V$ENCRYPTION_KEYS;        

Step 4: Encrypt Data Using TDE

4.1 Encrypt Tablespaces

• Create a new tablespace with encryption enabled:

CREATE TABLESPACE encrypted_ts
  DATAFILE '+DATA' SIZE 1000M 
  ENCRYPTION USING 'AES256'
  DEFAULT STORAGE(ENCRYPT);        

• Existing tablespace (online encryption):

ALTER TABLESPACE USERS ENCRYPTION ONLINE USING 'AES256' ENCRYPT;        

4.2 Validate Encryption

• Check the encryption status of tablespaces:

SELECT TABLESPACE_NAME, ENCRYPTED FROM DBA_TABLESPACES;        

• Confirm OKV integration by verifying the wallet status:

SELECT WRL_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
-- Expected output: WRL_TYPE should indicate "OKV" and STATUS should be "OPEN"        

Troubleshooting

Database cannot connect to OKV:

• Verify network connectivity (ensure port 5696 is open).
• Check that the okvclient.ora file is correctly configured and that file/directory permissions are correct.

Key creation fails:

• Confirm that the OKV wallet password is correct.
• Ensure the database has appropriate write access to the directory defined by $WALLET_ROOT/okv.

Wallet not open:

Open the keystore manually if necessary:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY '<OKV_WALLET_PASSWORD>';        

Oracle 19c-Specific Notes

• Deprecated Features: Avoid using the ENCRYPTION_WALLET_LOCATION setting in sqlnet.ora. Instead, rely on WALLET_ROOT and TDE_CONFIGURATION.
• Unified Mode (CDB/PDB): For environments with Container Databases and Pluggable Databases, include CONTAINER=ALL in your ADMINISTER KEY MANAGEMENT commands to manage keys across all PDBs.
• RAC Support: In Real Application Clusters, ensure that the TDE configuration (TDE_CONFIGURATION parameter) and OKV client configuration are synchronized across all nodes. Local file copies of configuration files (if used) must be consistent, though the master key itself is centrally managed by OKV.

References

• Oracle 19c TDE Configuration Guide.

By following these steps, your Oracle 19c database will use OKV for centralized TDE key management, enhancing security and compliance.

#Oracle #DB #Vault #OKV #TDE #OracleKeyVault #KeyVault