Finding the wallet entries used for TDE Encryption
In order to specify the correct encryption key(s) used for TDE tablespace encryption or TDE column encryption, you first need to find the relevant entry (or entries in the case of multiple keys) in the Oracle Wallet containing the encryption key(s). After you find the relevant entry or entries, copy the entry and its value (or entries and values if more than one) into the Names and Values fields respectively.
To enter multiple values, first copy each entry into a text editor such as Notepad making sure to separate the values with a comma. Then, copy the string containing the values and commas from the text editor and paste it into the Values field. There is no need to do this for entries. You can paste the entries directly into the Entries field, remembering to separate each entry with a comma.
To find the Oracle Wallet entries:
- If the ENCRYPTION_WALLET_LOCATION parameter is defined in the sqlnet.ora file, use the wallet from the directory defined by this parameter.
- If the WALLET_LOCATION parameter is defined in the sqlnet.ora file, use the wallet from the directory defined by this parameter.
-
In other cases, use the wallet in the default database location.
Information noteThe name of the wallet should be ewallet.p12
-
Use the “list” option in the Oracle mkstore utility to determine the ORACLE.SECURITY.DB/TS.ENCRYPTION.<SUFFIX> entry name(s), as follows:
mkstore –wrl <full wallet name> -list
-
If you know which entry/entries is/are used to encrypt the Redo logs, select the entry name(s) and use the “viewEntry” option in the Oracle mkstore utility to determine the entry value, as follows:
mkstore –wrl <full wallet name> -viewEntry <entry name>
Information noteIf you do not know which entry is used to encrypt the Redo logs, you can select multiple DB or TS entries and determine their values as described above (and then copy and paste the entry names and values into the Names and Values fields as described in the Finding the wallet entries used for TDE Encryption). If the specified entries are not correct, the task will fail and the error message will contain the correct entry name.
Information noteIf the DBA changes the entry while the task is running, the task will fail and the error message will contain the new entry name. Add the new entry (name and value) to the already specified entries and then resume the task.