配置钱包根位置和密钥库类型
配置 CDB 密钥库的根目录位置
ALTER SYSTEM SET WALLET_ROOT = '/u01/app/oracle/admin/cdb1/tde_keystore' SCOPE=SPFILE;
重新启动实例并重新打开 PDB
SHUTDOWN IMMEDIATE
STARTUP
ALTER PLUGGABLE DATABASE ALL OPEN;
SHOW PARAMETER wallet_root
ALTER SYSTEM SET tde_configuration='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH;
检查密钥库的当前状态
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
创建 CDB 根密钥库
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY aabb1234;
创建密钥库后,默认情况下它是关闭的
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
打开 CDB 根密钥库
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY aabb1234 CONTAINER=ALL;
未设置 TDE 主加密密钥的情况下打开
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
在 CDB 根密钥库中设置 TDE 主加密密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY aabb1234 WITH BACKUP CONTAINER=ALL;
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
首先关闭 PDB 中打开密钥库
CONNECT sys@PDB1 AS SYSDBA
打开 PDB 上的密钥库
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
ADMINISTER KEY MANAGEMENT SET KEYSTORE open IDENTIFIED BY aabb1234;
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
在 PDB 上设置 TDE 主加密密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY aabb1234 WITH BACKUP;
TDE 主加密密钥
登录到 CDB 根目录并验证PDB是否存在并已打开。
CREATE PLUGGABLE DATABASE pdb2 ADMIN USER pdb_adm IDENTIFIED BY Password1
FILE_NAME_CONVERT=('/u02/oradata/CDB1/pdbseed/','/u02/oradata/CDB1/pdb2/');
ALTER PLUGGABLE DATABASE ALL OPEN;
show pdbs
检查密钥库位置是否已经设置
SHOW PARAMETER WALLET_ROOT
设置 CDB 根密钥库位置
mkdir -p /u02/oradata/CDB1/tde_keystore
ALTER SYSTEM SET wallet_root = '/u02/oradata/CDB1/tde_keystore'
SCOPE=SPFILE;
SHUTDOWN IMMEDIATE
STARTUP
ALTER PLUGGABLE DATABASE ALL OPEN;
检查是否已设置密钥库文件类型
SHOW PARAMETER tde_configuration
设置 CDB 根密钥库的文件类型。
ALTER SYSTEM SET tde_configuration = 'KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH;
创建 CDB 根密钥库
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY aabb1234;
打开 CDB 根密钥库。
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY aabb1234
CONTAINER=ALL;
在 CDB 根密钥库中设置 TDE 主加密密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY aabb1234 WITH BACKUP
CONTAINER=ALL;
验证 CDB 根密钥库是否存在并使用 TDE 主加密密钥集打开。
SELECT wrl_parameter, status, keystore_mode, con_id FROM v$encryption_wallet;
ALTER SESSION SET CONTAINER=pdb1;
CREATE USER sec_tde IDENTIFIED BY AAbb1234;
GRANT create session, administer key management, select any dictionary,
unlimited tablespace, create any table TO sec_tde;
ADMINISTER KEY MANAGEMENT SET KEY '17BA048707B402493C'
IDENTIFIED BY aabb1234 WITH BACKUP;
ADMINISTER KEY MANAGEMENT SET KEY '10203040506070801112131415161718:3D432109DF88967A541967062A6F4E460E892318E307F017BA048707B402493C' IDENTIFIED BY aabb1234 WITH BACKUP;
验证是否在 PDB 密钥库中设置了新密钥
SELECT key_id, activating_pdbname, con_id cid FROM v$encryption_keys;
CREATE TABLE test (c NUMBER ENCRYPT);
隔离模式运行的 PDB(不能用)
据说只能用在云上,不能用在本地