How to encrypt the data (tablespace or column's table) using a software keystore previously known as Oracle Wallet

To create a standard Oracle wallet and then add a master key to it you have to follow few basic steps:
1) Configure the sqlnet.ora file to define a file system location for the Software Keystore
2) Create the Software Keystore 
3) Opening a Software Keystore 
4) Setting the TDE Master Encryption Key in the Software Keystore 
5) Encrypt the Data 

The first four steps are already described here. Now it's time to encrypt your data.

5) Encrypt the Data 
Once you have created an Oracle Wallet and set a TDE master key in it, you can proceed to encrypt your data. Let's start creating a new encrypted tablespace first and then a column's table. My current data files:

SQL> select file_name from dba_data_files;

FILE_NAME
--------------------------------------------------------------------------------
/app/oracle/oradata/CDB001/system01.dbf
/app/oracle/oradata/CDB001/sysaux01.dbf
/app/oracle/oradata/CDB001/undotbs01.dbf
/app/oracle/oradata/CDB001/users01.dbf

The statement to create an encrypted tablespace:

SQL> create tablespace ts_encrypted datafile '/app/oracle/oradata/CDB001/ts_encrypted01.dbf' size 10M encryption default storage(encrypt);

Tablespace created.

Information about the encrypted tablespace available in the database.

SQL> select a.name, b.TS#, b.ENCRYPTEDTS, b.ENCRYPTIONALG, b.CON_ID from V$TABLESPACE A, V$ENCRYPTED_TABLESPACES B                     
  2  where A.ts# = B.ts#;

NAME      TS# ENCRYPTEDTS ENCRYPTIONALG CON_ID
------------ --- ----------- ------------- ------
TS_ENCRYPTED 5   AES128      YES           1

How is it possible to test if the data is encrypted or not ? I'm going to create a table on the USERS (unencrypted) tablespace and another on the TS_ENCRYPTED tablespace. Because the Oracle Wallet is already open I can create on the encrypted tablespace the t1_encrypted table and insert some rows in it.

SQL> create table t1_not_encrypted (text varchar2(255)) tablespace USERS;

Table created.

SQL> create table t1_encrypted (text varchar2(255)) tablespace TS_ENCRYPTED;

Table created.

SQL> insert into t1_not_encrypted values ('my name is marcov');

1 row created.

SQL> insert into t1_encrypted values ('the secrets of marcov');

1 row created.

SQL> commit;

Commit complete.

Flush the buffer cache to be sure all data is written to the datafiles.

SQL> alter system flush buffer_cache;

System altered.

I'm able to grep and see the text on the USERS tablespace, but not that one on the TS_ENCRYPTED tablespace.

[oracle@localhost oracle]$ strings /app/oracle/oradata/CDB001/users01.dbf|grep "my name is"
my name is marcov
[oracle@localhost oracle]$ strings /app/oracle/oradata/CDB001/ts_encrypted01.dbf|grep "secrets"
[oracle@localhost oracle]$

Let's see what happens when the Oracle Wallet is closed. The following command closes an open Oracle Wallet.

SQL> administer key management set keystore close identified by "0racl30racle3";

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER                                            STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------- -------------------------------------------------------- ------ ----------- --------- --------- ------
FILE     /app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet  CLOSED UNKNOWN     SINGLE    UNDEFINED 0

When the Oracle Wallet is closed you can query every tables but those based on an encrypted tablespace.

SQL> select * from t1_not_encrypted;

TEXT
-----------------
my name is marcov

SQL> select * from t1_encrypted;
select * from t1_encrypted
              *
ERROR at line 1:
ORA-28365: wallet is not open

You have to open again the Oracle Wallet to successfully execute the query

SQL> administer key management set keystore open identified by "0racl30racle3";

keystore altered.

SQL> select * from t1_encrypted;

TEXT
---------------------
the secrets of marcov

Let's see how a closed Oracle Wallet affects an encrypted column of a table. I'm going to create a new table with two columns: one is encrypted and the other is not encrypted.

SQL> create table c##marcov.t2_column_encrypted (text varchar2(255), text_encrypted varchar2(255) encrypt) tablespace USERS;

Table created.

SQL> insert into c##marcov.t2_column_encrypted values ('this column is not encrypted', 'the secrets of marcov');

1 row created.

SQL> commit;

Commit complete.

The Oracle Wallet is closed.

SQL> administer key management set keystore close identified by "0racl30racle3";

keystore altered.

When the Oracle Wallet is closed I can able to query the non-encrypted column.

SQL> select text from c##marcov.t2_column_encrypted;

TEXT
----------------------------
this column is not encrypted

But when I try to query the encrypted column it fails:

SQL> select * from c##marcov.t2_column_encrypted;
select * from c##marcov.t2_column_encrypted
                        *
ERROR at line 1:
ORA-28365: wallet is not open

I need first to open the Oracle Wallet

SQL> administer key management set keystore open identified by "0racl30racle3";

keystore altered.

Now I can query again the encrypted column of my table.

SQL> select * from c##marcov.t2_column_encrypted;

TEXT                         TEXT_ENCRYPTED
---------------------------- ---------------------   
this column is not encrypted the secrets of marcov

That's all.

How to configure Transparent Data Encryption using a software keystore, the right way to call the old Oracle Wallet

Oracle uses an operating system file to contains authentication and signing credentials: this file, named ewallet.p12, is the so called Oracle wallet (now called more appropriately software/hardware keystore)

The transparent data encryption (TDE) feature, used when you encrypt an entire tablespace, columns of a table, safely export data or complete your backup, is strongly based on the creation of the Oracle wallet to store the master key of the database.
There are two kind of Oracle wallets: that one which you must manually open each time you restart a database instance to reenable encryption and decryption and that one automatically opened when an encryption operation is required.

The first is protected by a password specified when you create it and before accessing the keys contained you are responsible of its opening. The second is protected by a system-generated password and you don't need to open it manually.
Once an Oracle Wallet is open, it remains open until you shutdown the database or manually close it. 

As already stated here when talking about granting the minimum privilege, the Oracle Database 12c introduced the syskm administrative privilege: with this type of privilege you can perform every kind of key management operation without using the powerful sysdba privilege.
It also unified some already known commands under a set of key management statements (ADMINISTER KEY MANAGEMENT) that you can see in today's scenario.

To create a standard Oracle wallet and then add a master key to it you have to follow few basic steps:
1) Configure the sqlnet.ora file to define a file system location for the Software Keystore
2) Create the Software Keystore 
3) Opening a Software Keystore 
4) Setting the TDE Master Encryption Key in the Software Keystore 
5) Encrypt the Data (have a look at the next post) 

1) Configure the sqlnet.ora file 
Oracle should know where to find the Oracle Wallet so you have to define a directory accessible by the Oracle Software.
In the multitenant solution the Oracle Wallet location is valid for the CDB and every PDBs at the same time. Edit your sqlnet.ora file and use the following syntax to let the database know where the software keystore is located on file system.
Be sure that the directory exists to avoid the error "ORA-46633: creation of a password-based keystore failed":

[oracle@vsi08devpom admin]$ pwd
/opt/app/oracle/product/12.1.0/db_1/network/admin
[oracle@vsi08devpom admin]$ echo "ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet)))" >> sqlnet.ora 

[oracle@vsi08devpom admin]$ cat sqlnet.ora 
# sqlnet.ora Network Configuration File: /app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet)))

2) Create the Oracle Wallet 
It's possible to create the Oracle Wallet using the owm gui utility (as you can read on this post) or from sqlplus with a new set of key management statements (ADMINISTER KEY MANAGEMENT).
The steps to create an Oracle Wallet must be executed from the sqlplus command line with a user who has been granted the new SYSKM administrative privilege:
when in a multitenant environment you have to log in to the root container.

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

To avoid the error "ORA-46633: creation of a password-based keystore failed", the directory you are going to specify in the create keystore statement must be already present.

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/app/oracle/product/12.1.0/dbhome_1/admin/CDB001/missing_directory' IDENTIFIED BY "0racle0racle";
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/app/oracle/product/12.1.0/dbhome_1/admin/CDB001/missing_directory' IDENTIFIED BY "0racle0racle"
*
ERROR at line 1:
ORA-46633: creation of a password-based keystore failed

To create the keystore under the path specified in the sqlnet.ora file use the following statement:

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet' IDENTIFIED BY "0racle0racle";

keystore altered.

Querying the V$ENCRYPTION_WALLET view you can see the location, status and type of the wallet.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER                                            STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------- -------------------------------------------------------- ------ ----------- --------- --------- ------
FILE     /app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet  CLOSED UNKNOWN     SINGLE    UNDEFINED 0

3) Opening a Software Keystore 
To setup, configure and use encrypted tablespace or column the Oracle Wallet needs to be open.
The v$encryption_wallet view says the status of the wallet is closed so you need to open it using the following statement:

SQL> administer key management set keystore open identified by "0racle0racle";

keystore altered.

The status is now OPEN_NO_MASTER_KEY. This means that the wallet is open, but still a master key needs to be created.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER                                            STATUS             WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------- -------------------------------------------------------- ------------------ ----------- --------- --------- ------
FILE     /app/oracle/product/12.1.0/dbhome_1/admin/CDB001/wallet  OPEN_NO_MASTER_KEY UNKNOWN     PASSWORD  UNDEFINED 0

4) Setting the TDE Master Encryption Key in the Software Keystore
You need to set a master key for the Oracle wallet used in the TDE activities on tables or tablespace.

SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tde_mek' IDENTIFIED BY "0racle0racle" WITH BACKUP USING 'tde_mek_backup';

keystore altered.

If you need to change the password of your Oracle Wallet because of your company's security guidelines, you must use the WITH BACKUP option: in this way you are forced to take a backup of your "old" wallet.

SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "0racle0racle" set "0racl30racle3";
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "0racle0racle" set "0racl30racle3"
*
ERROR at line 1:
ORA-46631: keystore needs to be backed up

A change of the password doesn't prevent the normal use of every TDE operations: they continue to work as usual with the new password without interruptions. You need to provide the old password and the new password.

SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "0racle0racle" set "0racl30racle3" WITH BACKUP USING 'tde_mek_backup_001';

keystore altered.

To see now how to encrypt you data, read this post.

That's all.

Steps to create, open and close an Oracle Wallet using Oracle Wallet Manager

It's possible to create the Oracle Wallet using the owm gui utility or from sqlplus with a new set of key management statements (ADMINISTER KEY MANAGEMENT).

Let's see first in this post how to proceed using the owm gui utility.
Using the Oracle Wallet Manager it's possible to create standard wallets (PKCS #12, Public-Key Cryptography Standards) on file system or
wallets (PKCS #11) used in conjunction of hardware security modules (HSM), tokens or smart cards.

From the command line type:

[oracle@vsi08devpom ~]$ owm &

The following screenshot appears:



















To create a new wallet from the Wallet menu select New. If the Oracle software detects you don't have a default directory for the wallet it will ask you to create one: you can always choose a custom directory. The default path of the wallet directory is: $ORACLE_HOME/owm/wallets/user_name (/app/oracle/product/12.1.0/dbhome_1/owm/wallets/oracle in my case).
 

In the next dialog box you are prompted to set a password, having a minimum of eight characters, containing alphabetic characters and numbers or special characters.


As you can see on the following alert a new empty wallet has been created. If you need to add also a certificate request select Yes, otherwise to simply return to the Oracle Wallet Manager main window select No as I have done.


From the Oracle Wallet Manager main window you can see the new wallet in the left pane. It's time to save the wallet: from the Wallet menu select "Save In System Default"

If the wallet is successfully saved the following message is displayed at the bottom of the window:

Only when you save the new wallet you can find it under the specified directory.

[oracle@localhost oracle]$ pwd
/app/oracle/product/12.1.0/dbhome_1/owm/wallets/oracle
[oracle@localhost oracle]$ ls
cwallet.sso  cwallet.sso.lck  ewallet.p12  ewallet.p12.lck

If you want to close the wallet from the graphical user interface of the Oracle Wallet Manager, start again it and from Wallet menu of the main window select Close.

If you want to open again the wallet, from Wallet menu of the main window select Open and then enter the path of the wallet. When prompted enter the right password.

That's all.