Using Fortanix Data Security Manager with Oracle TDE - Advanced

  • Updated on Mar 12, 2025
  • Published on Jun 21, 2024
  • 8 minute(s) read

1.0 Introduction

This article describes how to manage Oracle Transparent Data Encryption (TDE) integrations with  Fortanix-Data-Security-Manager (DSM) in the following cases:

  • Migrating key from TDE local wallet to Hardware Security Modules (HSM).

  • Reverse migrating TDE master key from HSM to local file wallet.

  • Oracle Data Guard.

  • Backup and recovery.

  • Pluggable database cloning.

2.0 Migrating TDE Master Key from Local Wallet to DSM

Before performing the steps for migrating the TDE master key, it is assumed that Oracle Database is using a local TDE wallet for accessing the master key.

Perform the following steps:

  1. Create a group and application in Fortanix DSM. Refer to User's Guide: Getting Started with Fortanix Data Security Manager - UI.

  2. Configure the Fortanix DSM PKCS#11 library and pkcs11.conf file. Refer to Section-5.0 in Fortanix Data Security Manager with Oracle TDE – Fortanix for detailed steps.

  3. If you are using an auto-login wallet, move or rename the auto-login wallet.

    cd <wallet_root_path>/tde
mv cwallet.sso cwallet.sso_backup

  4. Change the local wallet password to the same as the HSM wallet (DSM_APP_PASSWD).

    ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "<software_wallet_passwd>" set "DSM_APP_PASSWD" with backup;

    For 11gR2 databases, run the following command:

    orapki wallet change_pwd -wallet wallet_location 
[-oldpwd password] [-newpwd password]

  5. Specify the wallet method as both FILE and HSM.

    • For Oracle database version 18c or prior, run the following command:

      ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=HSM) (METHOD_DATA= (DIRECTORY=<software wallet location>)))

    • For Oracle database version 19c, run the following command:

      ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE"

  6. Run the following command to open both HSM and local:

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY 
"<DSM_APP_PASSWORD>"

    Run the following command and ensure both wallets are open:

    SQL> SELECT * FROM V$ENCRYPTION_WALLET;

  7. Run the following command to migrate the local TDE master key to Fortanix DSM:

    SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<DSM_APP_PASSWD>" MIGRATE USING "<DSM_APP_PASSWD>" WITH BACKUP USING 'LocalWallet1';

    NOTE

    If the database version is 11gR2, then run the following command:

    SQSQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<DSM_APP_PASSWD>" MIGRATE USING "<DSM_APP_PASSWD>";

    Where, DSM_APP_PASSWD is the Fortanix DSM app password, and it must be same as the Local wallet password.

  8. If you want to use auto-login, then create auto-login using the steps in Fortanix Data Security Manager with Oracle TDE – Fortanix.

3.0 Reverse Migrating TDE Master Key from DSM Wallet to Local

In case, you want to reverse-migrate the TDE master key from the HSM wallet to the local wallet, perform the following steps. Ensure that the Oracle TDE HSM wallet is already configured.

NOTE

Oracle Database 11gR2 does not support reverse migration. Reverse migration is allowed only while upgrading the database from 11gR2 to 12c or higher.

Perform the following steps:

  1. If you have an auto-login wallet configured, move or rename the auto-login wallet file.

  2. Open both the wallets manually with a password.
    The password of both file and HSM must be as same as DSM_APP_PASSWD.

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER=ALL;

    For 11gR2 databases, run the following command:

    SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<DSM_APP_PASSWORD>";

    Run the following command to check the current wallet status:

    SQL> SELECT * FROM V$ENCRYPTION_WALLET;

  3. Change the wallet method to FILE:

    • For Oracle database version 18c and prior, run the following command:

      ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE) (METHOD_DATA= (DIRECTORY=<software wallet location> )))

    • For Oracle database version 19c ownwords, run the following command:

      ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;

  4. Run the following command to reverse migrate from HSM to local file wallet:

    SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<DSM_APP_PASSWD>" REVERSE MIGRATE USING "<DSM_APP_PASSWD>" WITH BACKUP USING 'NewWallet';

4.0 Managing Oracle TDE in a Data Guard Environment

If you are planning to do TDE integration in a Data Guard-enabled environment, perform the following steps to integrate a standby database with Fortanix DSM:

  1. Copy the autologin wallet (cwallet) and software wallet (ewallet) from primary to standby.

  2. Follow the Fortanix Data Security Manager with Oracle TDE – Fortanix guide to install the PKCS#11 library and copy pkcs11.conf from the primary database server to the standby server in /etc/fortanix/.

  3. Point the database wallet METHOD to both HSM and FILE.

  4. The auto-login wallet should automatically open the wallet from both FILE and HSM. Run the following command to view the HSM wallet status as “UNKNOWN_MASTER_KEY”:

    SQL> SELECT * FROM V$ENCRYPTION_WALLET;

5.0 Backup and Restore for a TDE Enable Database

By default, if the source database is encrypted with TDE, then the following backups are taken from the database:

  • Encrypted, in case of tablespace encryption.

  • Not encrypted, in case of column encryption.

To decrypt the backups, the target database needs access to the source database master key, as Fortanix does not allow the exporting of keys.

Perform the following steps to integrate the target database with Fortanix DSM:

  1. Copy the auto-login wallet from the source to the target database. If not, copy the source password wallet to the target database.

  2. Install the PKCS#11 library and copy the pkcs11.conf from the source system to the target server in /etc/fortanix/. Refer to Fortanix Data Security Manager with Oracle TDE – Fortanix for detailed steps.

  3. Point the database wallet METHOD to both HSM and FILE.

  4. The auto-login wallet should automatically open the wallet from both FILE and HSM. Run the following command to check the wallet status:

    SQL> SELECT * FROM V$ENCRYPTION_WALLET;

    In the case of export backups using expdp, the export dump files are not encrypted, even if the actual data was encrypted in the database using tablespace encryption. Run the following command:

    expdp hr DIRECTORY=dpump_dir1 
DUMPFILE=hr_enc.dmp
ENCRYPTION=all 
ENCRYPTION_ALGORITHM=AES256 
ENCRYPTION_MODE=TRANSPARENT

6.0 Cloning Pluggable Databases on an Encrypted Instance

You can clone pluggable databases that are encrypted with encryption keys stored in Fortanix DSM.

6.1 Prerequisites

  • Source and target databases must be integrated with Fortanix DSM in the same group.

  • Apps used by the databases in Fortanix DSM may be same or different, but they must point to the same group.

6.2 Steps at Source Database

  1. Create a hot clone of pluggable database (PDB) that has encrypted data and keys in Fortanix DSM.

    SQL> CREATE PLUGGABLE DATABASE PDB2_CLONE from PDB2 FILE_NAME_CONVERT = ('/u01/app/oracle/oradata/ORCLDB/pdb2','/u01/app/oracle/oradata/ORCLDB/pdb2_clone') KEYSTORE IDENTIFIED BY "file:///etc/fortanix/pkcs11.conf";
Pluggable database created.
-- Where PDB2 is an encrypted database with master key in DSM. 
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ----------------
HSM OPEN HSM SINGLE NONE UNDEFINED 1
HSM OPEN HSM SINGLE UNITED UNDEFINED 2
HSM CLOSED UNKNOWN SINGLE UNITED UNDEFINED 3
HSM OPEN HSM SINGLE UNITED UNDEFINED 4

  2. Verify the encrypted data at source.

    SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB2_CLONE MOUNTED
4 PDB2 READ WRITE NO
SQL> alter session set container=PDB2;
Session altered.
SQL> select * from dba_encrypted_columns;
OWNER TABLE_NAME COLUMN_NAME ENCRYPTION_ALG SAL INTEGRITY_AL
------------------------------ ------------------------------ ------------------------------ ----------------------------- --- ------------
DEMO_USER EMPLOYEE SALARY AES 192 bits key YES SHA-1
SQL> select * from DEMO_USER.EMPLOYEE
FIRST_NAME LAST_NAME EMPID SALARY
------------------------------ ------------------------------ 
JOHN SMITH 1 10000

  3. Unplug the cloned PDB.

    SQL> conn / as sysdba
Connected.
SQL> ALTER PLUGGABLE DATABASE PDB2_CLONE UNPLUG INTO '/u01/app/oracle/pdb2_clone.pdb';
Pluggable database altered.

6.3 Steps at Target Database

  1. Copy the .pdb file to the target server.

    NOTE

    You will be unable to plug this PDB into the target database if:

    • The database is not encrypted.

    • The database is encrypted and integrated with Fortanix DSM; however, it does not have access to the same group that has the keys used by the source PDB.

    • The Target Root Database (CDB) does not have a master key set.

  2. Create a pluggable database in the target CDB.

    SQL> create pluggable database PDB2 using '/u01/app/oracle/oradata/ORCLDB/pdb2_clone/pdb2_clone.pdb' COPY FILE_NAME_CONVERT=('/u01/app/oracle/oradata/ORCLDB/pdb2_clone','/u01/app/oracle/oradata/ORCLDB/pdb2') KEYSTORE IDENTIFIED BY "file:///etc/fortanix/pkcs11.conf";
Pluggable database created.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB1 READ WRITE NO
5 PDB2 MOUNTED

  3. Open the newly loaded pluggable database and open the encryption wallet.

    SQL> alter session set container=PDB2;
Session altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- -------- --------- ----------
HSM CLOSED UNKNOWN SINGLE UNITED UNDEFINED 5
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "file:///etc/fortanix/pkcs11.conf";
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- -------- --------- ----------
HSM OPEN HSM SINGLE UNITED UNDEFINED 5

  4. Verify that the encrypted data at the source is accessible at the target.

    SQL> alter session set container=PDB2;
Session altered.
SQL> select table_name from dba_tables where table_name like '%EMPLOYEE%';
TABLE_NAME
--------------------------------------------------------------------------------------------------------------------------------
EMPLOYEE
SQL> select * from DEMO_USER.EMPLOYEE;
FIRST_NAME LAST_NAME
EMPID SALARY
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ---------- ----------
JOHN SMITH
1 10000
SQL> select * from dba_encrypted_columns;
OWNER TABLE_NAME COLUMN_NAME ENCRYPTION_ALG SAL INTEGRITY_AL
-------------------- ----------------------- -------------------- ----------------------------- --- ------------
DEMO_USER EMPLOYEE SALARY AES 192 bits key YES SHA-1
SQL> select * from dba_encrypted_columns;
OWNER TABLE_NAME COLUMN_NAME ENCRYPTION_ALG SAL INTEGRITY_AL
-------------------- ------------------------------ -------------------- ----------------------------- --- ------------
DEMO_USER EMPLOYEE SALARY AES 192 bits key YES SHA-1

7.0 Upgrading PKCS#11 Library

Upgrading to the latest version of the PKCS#11 library is recommended to take advantage of new features and enhanced security.

NOTE

Upgrading the PKCS#11 library will require a period of downtime.

Perform the following steps to upgrade the PKCS#11 library:

  1. Download the latest version of the library.

  2. Shut down the database.

  3. Backup the current PKCS#11 library to a different location, then delete the existing directory.
    Example: 

    cd /opt/oracle/extapi/64/hsm/fortanix/4.19.2244
rm libpkcs11.so
cd ..
rmdir 4.19.2244

  4. Create a new directory for the downloaded library version.
    Example: 

    sudo mkdir -p 
/opt/oracle/extapi/64/hsm/fortanix/4.27.2394

  5. Move the downloaded file to the directory created in Step 4, rename it to libpkcs11.so, and set the appropriate permissions.
    Example: 

    cp fortanix_pkcs11_4.27.2394.so
/opt/oracle/extapi/64/hsm/fortanix/4.27.2394/libpkcs11.so

sudo chown -R oracle:oinstall libpkcs11.so
sudo chmod -R 775 libpkcs11.so

  6. Restart the database and check access to DSM and heartbeat operations by reviewing the log entries in the pkcs11.log file in /etc/Fortanix.

NOTE

To roll back in case of issues, delete the new library, re-create the previous directory, restore the old library, and restart the database. For assistance, contact Fortanix support.

8.0 Related Articles

Refer to the following articles:

Related articles