How to Setup the Oracle Wallet for Encryption Functions

Posted at Sunday, February 10, 2008
Oracle has a variety of encryption features, most of which leverage the Oracle Wallet. Here are the steps to setup the wallet on an 11g database (most apply to 10g as well):

Step 1: Configure Networking

Add the following entry to your $TNS_ADMIN/sqlnet.ora changing the directory to a path relevant to your installation.

[/u03/app/oracle/product/db/11.1.0.6/network/admin nf@rac2]$ cd $TNS_ADMIN
[/u03/app/oracle/product/db/11.1.0.6/network/admin nf@rac2]$ more sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/u03/app/oracle/oradata/nf/wallet)))

Step 2: Create the wallet via your preferred method (I use Oracle Wallet Manager)

Launch the Oracle Wallet Manager:

[/u03/app/oracle/product/db/11.1.0.6/bin nf@rac2]$ export DISPLAY=192.168.1.104:0.0
[/u03/app/oracle/product/db/11.1.0.6/bin nf@rac2]$ ./owm

Here are the screenshots for this step:

Create a new wallet



Enter the password



Specify the location



Set as an Auto-login wallet and save



Should yield the following files:

[/u03/app/oracle/product/db/11.1.0.6/bin nf@rac2]$ ls -lart /u03/app/oracle/oradata/nf/wallet
total 24
drwxr-x--- 6 oracle dba 4096 Feb 11 00:56 ..
-rw------- 1 oracle dba 7312 Feb 11 00:56 ewallet.p12
drwx------ 2 oracle dba 4096 Feb 11 00:56 .
-rw------- 1 oracle dba 7340 Feb 11 00:56 cwallet.sso

Step 3 Create Master Key for TDE:

SQL> alter system set encryption key identified by "password";
System altered.

Note that the Oracle wallet manager does not create this master key. The above is the appropriate method for doing so.

Step 4 Verify wallet is open

SQL> col wrl_parameter format a40
SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS
-------------------- ---------------------------------------- ---------
file /u03/app/oracle/oradata/nf/wallet OPEN

You should see that the size of the auto-login and encryption wallet have changed (since the master key has been added):

[/u03/app/oracle/oradata/nf/wallet nf@rac2]$ ls -alrt /u03/app/oracle/oradata/nf/wallet
total 32
drwxr-x--- 6 oracle dba 4096 Feb 11 00:56 ..
drwx------ 2 oracle dba 4096 Feb 11 00:56 .
-rw------- 1 oracle dba 8453 Feb 11 01:24 ewallet.p12
-rw------- 1 oracle dba 8481 Feb 11 01:24 cwallet.sso

If the wallet is not open:

SQL> alter system set encryption wallet open identified by "password";
System altered.

At this point, you should be able to transparently encrypt tablespaces, columns, LOBS, etc.

Frequently asked questions about TDE: 10g

11g Tablespace Encryption: Three easy steps

Labels: ,