Hey everyone,
Hope you’re doing good.
In the last two years I worked for a client where we have activated TDE (Transparent Data Encryption), where we have enabled the encryption for datafiles on tablespaces used by application.
To use TDE, the requirement is to have a wallet (a physical file), where the encryption key will be stored.
The wallet must be read to open the datafiles. Otherwise datafiles will remain closed.
As we are talking about encryption, the wallet must be protected by password. To enable TDE, is possible to configure the wallet using two options:
- Auto-login: a single sign-on file is created so you don’t need to type your password when you’re opening the wallet. This make the environment management easier.
- Password: it’s not possible to use auto-login with this option, so, everytime wallet is closed (during DB shutdown), to be able to open the wallet, you need to type your password every time. The environment management is a little bit “complex”, because you need to type the password every time. However, this makes your environment a little bit more safer, because without the auto-login file, the wallet will not be opened automatically.
You need to think well about the option you would like to use.
For this specific client, they use wallet protected by password. As a good practice, it’s good to rotate the wallet password, the frequency can be defined by client.
This post shows how to change the wallet password. The command is very simple and you can do it online, with no downtime required:
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY old_password SET new_password WITH BACKUP;
This command will create a wallet backup of the wallet with current password.
Just this!
Hope it helps!
Peace,
Vinicius
