<<Back to Oracle DB Security Main Page
In many cases you need to export the TDE Master Encryption Key and Import it in same or different database.
For Example:
If you want to migrate a PDB (Using Encryption) from one CDB to another, you must export the TDE Keys from source CDB and import it in Target CDB.
How To Export TDE Master Encryption Key
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "any password to protect export file" TO 'file_path' IDENTIFIED BY keystore_passwordIf you run the above statement in PDB it will export the keys for that PDB only
SQL> alter session set container=PDB01;
Session altered.
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "mysecret" TO '/home/dbatst1/Wallet/PDB01_TDE.KEY' IDENTIFIED BY keystore_password;
keystore altered.
NOTE: You can only export the keys if the password based wallet is open in case AUTOLOGIN wallet is open you can export the keys
either using FORCE KEYSTORE clause (which requires additional Patch for BUG 22826718 (Check Doc ID 1944507.1) )
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "mysecret" TO '/home/dbatst1/Wallet/PDB01_TDE.KEY' FORCE KEYSTORE IDENTIFIED BY keystore_password;
OR
NOTE: Encrypted data to database/application is user is not available for the time being the Wallet is closed
Close the auto login wallet
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;
open the password wallet
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;export the KEYS
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "mysecret" TO '/home/dbatst1/Wallet/PDB01_TDE.KEY' IDENTIFIED BY keystore_password;
close the password based wallet
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY password;
open the autologin wallet
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN;
Exporting selective Keys from KEYSTORE
This command exports only 2 Keys. You can find the list of keys you want to export in key_id column of v$encryption_keysSQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '/TDE/export.exp' IDENTIFIED BY password
WITH IDENTIFIER IN 'AdoxnJ0uH08cv7xkz83ovwsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
'AW5z3CoyKE/yv3cNT5CWCXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
OR
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret"
TO '/etc/TDE/export.exp' IDENTIFIED BY password
WITH IDENTIFIER IN (SELECT KEY_ID FROM V$ENCRYPTION_KEYS WHERE ROWNUM <3)
Great info which hit us on exporting wallet, thanks very much!
ReplyDelete