Hey everyone,


Hope you’re doing good.


As already discussed in the blog, every environment which uses TDE (Transparent Data Encryption), a wallet is needed to store the encryption key.


The wallet is a file extremally important and critical for the health and well functioning of the DB, as if you lose this file (doesn’t matter if you delete the file or if the filesystem got corrupted), your DB cannot be open anymore!


So, it’s very important to take frequent backups of the wallet, so you can make sure you’ll always have a copy of your wallet in more than one place.


I will not discuss about the strategy to copy the backup to tape, cloud, etc, this must be followed by your backup policy.


The main goal of this post is to create a copy of the wallet to two different destinations (on this example, NFS locations), so, you can have more than one copy of wallet. I also recommend you to take weekly backups of your wallet.


You can schedule the script through Cron or DBMS_SCHEDULER, you can use the example on this post: here.


On this example, we’ll schedule it using Cron.


The shell script below will use the location of wallet using harded code, it’s possible to make it dinamically, but this can be done through an improvement in the next version of the script šŸ™‚


So, first step is to get the location of the wallet, this is defined by the value of parameter wallet_root. Let’s run the below query to get the value of wallet_root:let_root:


SQL> select name,value from v$parameter where name='wallet_root';

NAME         VALUE
------------ ------------------------------
wallet_root  /oracle/PB1/19300/dbs/wallet


OK, so wallet_root value is /oracle/PB1/19300/dbs/wallet. Let’s call this value as WALLET_ROOT. So, the wallet will always be on the location defined by WALLET_ROOT/tde, so, in our example: /oracle/PB1/19300/dbs/wallet/tde.


The shell script logic will be as descried below:


We’ll create a variable called bkpdate in the format YYYYMMDD, so, in our example, let’s consider the date today: 20230531


After this, we’ll define some variables: ORACLE_HOME and WALLET_ROOT.


Following, the script will enter into the directory defined by $WALLET_ROOT/tde and will check if file ewallet.p12 is present in the directory. This file is the file for wallet.


If the file is found (we are expecting this!), the wallet will be copied to two NFS locations:




The backup file (executed today) will be as this example: ewallet.p12.20230531


After the copy, an email will be send informing that backup has been done. This will only work if your server is able to send e-mails. (This post will not cover this).


Replace the value of your_email@your_domain.com to your e-mail or a distribution list used by your team.


Note: this script doesn’t consider autologin file for backup, as the environment doesn’t use autologin. But you can just add the line to copy autologin file too.



export bkpdate=$(date +%Y%m%d)
export ORACLE_HOME=/oracle/PB1/19300
export PATH=/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/oracle/PB1:.
export WALLET_ROOT=${ORACLE_HOME}/dbs/wallet
cd ${WALLET_ROOT}/tde
if [ -f ewallet.p12 ]
cp ewallet.p12 /oracle/backup/wallet/PB1/ewallet.p12.${bkpdate}
cp ewallet.p12 /sapcd/backup/wallet/PB1/ewallet.p12.${bkpdate}
mail -s "Backup of Wallet - ${db_name} completed." your_email@your_domain.com < /dev/null
mail -s "Backup of Wallet - ${db_name} ** FAILED **." your_email@your_domain.com < /dev/null


Below we have the scheduling in the Cron, script will be executed every Saturday at midnight:


00 00 * * 6 /oracle/backup/wallet/PB1/PB1_backup_wallet.sh >/dev/null 2>/dev/null



Hope this helps!