Provisioning a TDE (Transparent Data Encryption) enabled VDB

Overview

This topic describes how to provision a VDB from an encrypted database. The Delphix Engine supports provisioning from a dSource linked to a physical database that has been encrypted with Oracle's Transparent Database Encryption (TDE), which can be used to encrypt columns or tablespaces.

The Delphix engine supports provisioning from a dSource with an encrypted system tablespace in a non-multitenant configuration. The VDB’s wallet on the target environment must include an auto-login wallet. If the autologin wallet is copied from the source host, it should not be a local autologin wallet.

Provisioning a VDB from an encrypted dSource requires an autologin wallet setup in the target environment, because the provisioning process requires the master key to be stored in the wallet file. This can be achieved by either copying the ewallet.p12 and cwallet.sso files to the target host ( to do this, the wallet must not be created with the “local” option ), or by creating a new autologin wallet on the target, then exporting / importing the keys to this wallet.

When provisioning a VDB from an encrypted dSource, if the target environment has other databases that also use TDE, each database should use a different wallet. This also includes a scenario where the VDB has been provisioned back to the same environment as the encrypted dSource. Please check Oracle documentation on how to set up different wallet locations for different databases. For example, use $ORACLE_SID in the DIRECTORY clause of the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora.

Copy 
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/wallets/$ORACLE_SID)))

The SQLNET.ENCRYPTION_WALLET_LOCATION parameter is deprecated in Oracle Database 18c, although it remains functional. Oracle recommends configuring TDE using the WALLET_ROOT and TDE_CONFIGURATION parameters for Oracle Database 18c and later versions. Delphix Engine supports provisioning a VDB with TDE configured using either the sqlnet.ora file or the WALLET_ROOT and TDE_CONFIGURATION parameters.

Provisioning a VDB with TDE configuration using the sqlnet.ora file

  1. Check for any encrypted columns or tablespaces on the source database by using these commands:

    Copy 
    SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e
    WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';

  2. Copy wallet files (ewallet.p12 and cwallet.sso) from the source database to the target environment, Ensure that the user ORACLE has read and write permissions for these files, and then configure the sqlnet.ora file on the target to point to the directory where the wallet is located.

    Copy 
    $ more sqlnet.ora
    ENCRYPTION_WALLET_LOCATION=(SOURCE(METHOD=file) (METHOD_DATA=(DIRECTORY=/opt/oracle/oradata/nf/wallet)))

  3. If the source database does not use the autologin wallet, create the autologin wallet (cwallet.sso) at the target environment, Ensure that the user ORACLE has read and write permissions for the file.

    Copy 
    $ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]

  4. Proceed with provisioning the VDB as described in Provisioning an Oracle VDB

Provisioning a VDB with TDE configuration using WALLET_ROOT and TDE_CONFIGURATION parameters

  1. Check for any encrypted columns or tablespaces on the source database by using these commands:

    Copy 
    SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e
    WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';

  2. Copy the wallet files (ewallet.p12 and cwallet.sso) from the source database to the target environment. Ensure that the user ORACLE has read and write permissions for these files. The wallet files must be placed in a directory that ends with a tde folder.
    Example:

    1. Valid: /my_wallet_root/tde

    2. Invalid: /my_wallet_root

  3. If the source database does not use the autologin wallet, create the autologin wallet (cwallet.sso) on the target environment. Ensure that the user ORACLE has read and write permissions for the file.

    Copy 
    $ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]

  4. Proceed with provisioning the VDB as described in Provisioning an Oracle VDB.

    1. On the Target Configuration page, check the option Configure VDB Parameters.

    2. On the VDB Configure Parameters page, add the following two parameters: wallet_root and tde_configuration. Enclose the values of both parameters in single quotes.

      • The value of wallet_root should specify the directory where the wallet files are stored, excluding the trailing tde folder.

      • Example: If the wallet files (ewallet.p12 and cwallet.sso) are located in /my_wallet_root/tde, the value of wallet_root should be /my_wallet_root.