Tuesday, March 5, 2013

[RDBMS] Transparent Data Encryption 11g R2


This is a procedure to configure Transparent Data Encryption (Basic) on a RAC 11gR2 environment.

First you need to add to the $ORACLE_HOME/netowrk/admin/sqlnet.ora the following lines, or alter them if they already exists, in every RAC node:



ENCRYPTION_WALLET_LOCATION=  
  (SOURCE=(METHOD=FILE)(METHOD_DATA=    
   (DIRECTORY=/u01/oracle/product/11.2.0/dbs/encryption_wallet)))

There is a default path,($ORACLE_HOME/admin/$ORACLE_SID/wallet)but you can change it to the one you want your wallet to be.

With the following command you will create and open the wallet, you need to connect as sys:

CONN sys/xxxxx@mydb AS SYSDBA
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "xxxxx"; 

You need to copy the wallet to the others RAC nodes, remember to copy it, to the same location that is in your sqlnet.ora. It's important for you to know, that if you change your Key, then you'll need to copy the wallet to the others RAC nodes, again.

After this you should verify if the wallet is open, connect as sys and execute the following: 

SQL> select inst_id,status from gv$encryption_wallet;

It should give you an output like the following one:

   INST_ID STATUS
---------- ------------------
         1 OPEN
         2 OPEN
         3 OPEN

Everytime you start the database you will need to re-open the wallet, if you want to access that table that has encrypted columns or that tables that are in the encrypted tablespace, so you will need to execute the next command, connected as sys:

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "xxxxx";

You need to know that you CANNOT convert a Tablespace "un-encrypted" to encrypted, so you will need to create a encrypted tablespace and move your tables to it.