Why and How to implement TDE in 11g and 19c ?

Why ?

As clarified by Oracle ,“Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces” . Below are a quick note using oracle document for both versions 19c or lower versions (11g or 12c).

How ?

1- Set the Software Keystore Location in the sqlnet.ora File . For 11g or 12.1 or 12.2c .

ENCRYPTION_WALLET_LOCATION=

  (SOURCE=

   (METHOD=FILE)

    (METHOD_DATA=

     (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))

For  19c, it is recommended to use spfile parameters as below :

ALTER SYSTEM SET WALLET_ROOT = '$ORACLE_BASE/ADMIN/ORCL/WALLET' SCOPE = SPFILE SID = '*';

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH SID = '*';

2- Create the Software Keystore:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;

You may create an auto login to avoid re-entering the wallet password every time:

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;

3- Open the Software Keystore ## In case autologin not configured:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;

4- Set the Software TDE Master Encryption Key:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY keystore_password WITH BACKUP USING 'key_backup';

5- Encrypt Your Data:

CREATE TABLESPACE encrypt_ts

  DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M

  ENCRYPTION USING 'AES256'

  DEFAULT STORAGE (ENCRYPT);

6- Convert exist Tablespace, for prior 12.2c it is offline only , for 12.2 and later version , both offline and online can be used:

## offline

ALTER TABLESPACE users OFFLINE NORMAL;

ALTER TABLESPACE users ENCRYPTION OFFLINE USING 'AES256' ENCRYPT;

ALTER TABLESPACE users ONLINE;

## online

ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES256' ENCRYPT FILE_NAME_CONVERT = ('users.dbf', 'users_enc.dbf');

 

Why and How to fix Red hat Linux library issue?

Why ?

For any reason you may discover an issue with library like the below issue , where you will not be able even to access the server with emergency mode/target , use the below to fix it, for example , I got the below error.

/usr/sbin/sulogin: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: permission denied

 

How ?

1- First it needs to boot the system into the rescue mode using DVD/CD ISO on the installation media:

How to boot Red Hat Enterprise Linux to Rescue Mode for Data Collection (sosreport, vmcore, etc.)

https://access.redhat.com/articles/3405661

2- Check the rpm package that is behind this library as below:

# rpm -qf /usr/lib64/libcrypt.so.1

libxcrypt-4.1.1-4.el8.x86_64

3- re-install the package using the below and reboot the system to disk boot again:

yum reinstall libxcrypt