<<Back to Oracle DB Security Main Page
Oracle 12c Wallet/KeyStore Administration Commands
Creating a Keystore
ExamplesThe following statement creates a password-protected software keystore in directory /etc/ORACLE/WALLETS/orcl:
SQL>ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;
The following statement creates an auto-login software keystore from the keystore created in the previous statement:
SQL> ADMINISTER KEY MANAGEMENT
CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl'
IDENTIFIED BY password;
Opening a Keystore
ExamplesThe following statement opens a password-protected software keystore
SQL>ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
IDENTIFIED BY password;
If you are connected to a CDB, then the following statement opens a password-protected software keystore in the current container:
SQL>ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
IDENTIFIED BY password
CONTAINER = CURRENT;
The following statement opens a keystore whose password is stored in the external store:
SQL>ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
IDENTIFIED BY EXTERNAL STORE;
Closing a Keystore
ExamplesThe following statement closes a password-protected software keystore:
SQL>ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE
IDENTIFIED BY password;
The following statement closes an auto-login software keystore:
SQL> ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE;
The following statement closes a keystore whose password is stored in the external store:
SQL>ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE
IDENTIFIED BY EXTERNAL STORE;
Backing Up a Keystore
ExampleThe following statement creates a backup of a password-protected software keystore. The backup is stored in directory /etc/ORACLE/KEYSTORE/DB1 and the backup file name contains the tag hr.emp_keystore.
SQL>ADMINISTER KEY MANAGEMENT
BACKUP KEYSTORE USING 'hr.emp_keystore'
IDENTIFIED BY password
TO '/etc/ORACLE/KEYSTORE/DB1/';
Changing a Keystore Password
ExampleThe following statement changes the password for a password-protected software keystore. It also creates a backup of the keystore, with the tag pwd_change, before changing the password.
SQL>ADMINISTER KEY MANAGEMENT
ALTER KEYSTORE PASSWORD IDENTIFIED BY old_password
SET new_password WITH BACKUP USING 'pwd_change';
Merging Two Keystores Into a New Keystore
ExampleThe following statement merges an auto-login software keystore with a password-protected software keystore to create a new password-protected software keystore at a new location:
SQL>ADMINISTER KEY MANAGEMENT
MERGE KEYSTORE '/etc/ORACLE/KEYSTORE/DB1'
AND KEYSTORE '/etc/ORACLE/KEYSTORE/DB2'
IDENTIFIED BY existing_keystore_password
INTO NEW KEYSTORE '/etc/ORACLE/KEYSTORE/DB3'
IDENTIFIED BY new_keystore_password;
Merging a Keystore Into an Existing Keystore
ExampleThe following statement merges an auto-login software keystore into a password-protected software keystore. It also creates a backup of the password-protected software keystore before performing the merge.
SQL>ADMINISTER KEY MANAGEMENT
MERGE KEYSTORE '/etc/ORACLE/KEYSTORE/DB1'
INTO EXISTING KEYSTORE '/etc/ORACLE/KEYSTORE/DB2'
IDENTIFIED BY existing_keystore_password
WITH BACKUP;
Creating and Activating a Master Encryption Key
ExamplesThe following statement creates and activates a master encryption key in a password-protected software keystore. It encrypts the key using the SEED128 algorithm. It also creates a backup of the keystore before creating the new master encryption key.
SQL>ADMINISTER KEY MANAGEMENT
SET KEY USING ALGORITHM 'SEED128'
IDENTIFIED BY password
WITH BACKUP;
The following statement creates a master encryption key in a password-protected software keystore, but does not activate the key. It also creates a backup of the keystore before creating the new master encryption key.
SQL>ADMINISTER KEY MANAGEMENT
CREATE KEY USING TAG 'mykey1'
IDENTIFIED BY password
WITH BACKUP;
The following query displays the key identifier for the master encryption key that was created in the previous statement:
SQL>SELECT TAG, KEY_ID
FROM V$ENCRYPTION_KEYS
WHERE TAG = 'mykey1';
TAG KEY_ID
--- ----------------------------------------------------
mykey1 ARgEtzPxpE/Nv8WdPu8LJJUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The following statement activates the master encryption key that was queried in the previous statement. It also creates a backup of the keystore before activating the new master encryption key.
SQL>ADMINISTER KEY MANAGEMENT
USE KEY 'ARgEtzPxpE/Nv8WdPu8LJJUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
IDENTIFIED BY password
WITH BACKUP;
Setting a Key Tag
ExampleThis example assumes that the keystore is closed. The following statement temporarily opens the keystore and changes the tag to mykey2 for the master encryption key that was activated in the previous example. It also creates a backup of the keystore before changing the tag.
SQL>ADMINISTER KEY MANAGEMENT
SET TAG 'mykey2' FOR 'ARgEtzPxpE/Nv8WdPu8LJJUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
FORCE KEYSTORE
IDENTIFIED BY password
WITH BACKUP;
Exporting Keys
ExamplesThe following statement exports two master encryption keys from a password-protected software keystore to file /etc/TDE/export.exp. The statement encrypts the master encryption keys in the file using the secret my_secret. The identifiers of the master encryption keys to be exported are provided as a comma-separated list.SQL>ADMINISTER KEY MANAGEMENT
EXPORT KEYS WITH SECRET "my_secret"
TO '/etc/TDE/export.exp'
IDENTIFIED BY password
WITH IDENTIFIER IN 'AdoxnJ0uH08cv7xkz83ovwsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
'AW5z3CoyKE/yv3cNT5CWCXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
The following statement exports master encryption keys from a password-protected software keystore to file /etc/TDE/export.exp. Only the keys whose tags are mytag1 or mytag2 are exported. The master encryption keys in the file are encrypted using the secret my_secret. The key identifiers are found by querying the V$ENCRYPTION_KEYS view.
SQL>ADMINISTER KEY MANAGEMENT
EXPORT KEYS WITH SECRET "my_secret"
TO '/etc/TDE/export.exp'
IDENTIFIED BY password
WITH IDENTIFIER IN
(SELECT KEY_ID FROM V$ENCRYPTION_KEYS WHERE TAG IN ('mytag1', 'mytag2'));
The following statement exports all master encryption keys of the database to file /etc/TDE/export.exp. The master encryption keys in the file are encrypted using the secret my_secret.
SQL>ADMINISTER KEY MANAGEMENT
EXPORT KEYS WITH SECRET "my_secret"
TO '/etc/TDE/export.exp'
IDENTIFIED BY password;
In a multitenant environment, the following statements exports all master encryption keys of the PDB salespdb, along with metadata, to file /etc/TDE/salespdb.exp. The master encryption keys in the file are encrypted using the secret my_secret. If the PDB is subsequently cloned, or unplugged and plugged back in, then the export file created by this statement can be used to import the keys into the cloned or newly plugged-in PDB.
SQL>ALTER SESSION SET CONTAINER = salespdb;
SQL>ADMINISTER KEY MANAGEMENT
EXPORT KEYS WITH SECRET "my_secret"
TO '/etc/TDE/salespdb.exp'
IDENTIFIED BY password;
Importing Keys
ExampleThe following statement imports the master encryption keys, encrypted with secret my_secret, from file /etc/TDE/export.exp to a password-protected software keystore. It also creates a backup of the password-protected software keystore before importing the keys.
SQL>ADMINISTER KEY MANAGEMENT
IMPORT KEYS WITH SECRET "my_secret"
FROM '/etc/TDE/export.exp'
IDENTIFIED BY password
WITH BACKUP;
Migrating a Keystore
ExampleThe following statement migrates from a password-protected software keystore to a hardware keystore. It also creates a backup of the password-protected software keystore before performing the migration.
SQL>ADMINISTER KEY MANAGEMENT
SET ENCRYPTION KEY IDENTIFIED BY "user_id:password"
MIGRATE USING software_keystore_password
WITH BACKUP;
The following statement adds secret secret1, with the tag My first secret, for client client1 to a password-protected software keystore. It also creates a backup of the password-protected software keystore before adding the secret.
SQL>ADMINISTER KEY MANAGEMENT
ADD SECRET 'secret1' FOR CLIENT 'client1'
USING TAG 'My first secret'
IDENTIFIED BY password
WITH BACKUP;
Updating a Secret in a Keystore
ExamplesThe following statement updates the secret that was created in the previous example in a password-based software keystore. It also creates a backup of the password-protected software keystore before updating the secret.
SQL>ADMINISTER KEY MANAGEMENT
UPDATE SECRET 'secret1' FOR CLIENT 'client1'
USING TAG 'New Tag 1'
IDENTIFIED BY password
WITH BACKUP;
Deleting a Secret from a Keystore
ExamplesThe following statement deletes the secret that was updated in the previous example from a password-protected software keystore. It also creates a backup of the password-protected software keystore before deleting the secret.
SQL>ADMINISTER KEY MANAGEMENT
DELETE SECRET FOR CLIENT 'client1'
IDENTIFIED BY password
WITH BACKUP;
Comments
Post a Comment