Shulou(Shulou.com)05/31 Report--

What is the understanding of Encrypted Wallet encryption? in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

You cannot decrypt a tablespace that has been created encrypted. You must create an unencrypted tablespace and re-create the database objects in the unencrypted tablespace.

You cannot decrypt an encrypted tablespace that has been created. You must create unencrypted tablespaces and recreate database objects in unencrypted tablespaces.

Personal understanding: there are two kinds of encryption, namely auto login wallet and encrypted wallet

When the server restarts, only auto login wallet will open automatically, so if auto login wallet is not set, we must execute ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" to open encrypted wallet (encrypted wallet); of course, we can also execute ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" to open encrypted wallet (encrypted wallet), although the latter command is mainly used to reset the password.

Set up auto login wallet

Not yet. I didn't find it anywhere in the official document.

Set up encrypted wallet

1. Edit the file sqlnet.ora and add

ENCRYPTION_WALLET_LOCATION=

(SOURCE= (METHOD=FILE) (METHOD_DATA=

(DIRECTORY=/app/wallet)

Or

WALLET_LOCATION=

(SOURCE= (METHOD=FILE) (METHOD_DATA=

(DIRECTORY=/app/wallet)

Note:

METHOD=HSM, where HSM means to use Hardware Security Modules to encrypt

METHOD=FILE, where FILE means to generate an encrypted file to encrypt

2. ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password"

Create an encrypted tablespace

CREATE TABLESPACE encrypt_ts

DATAFILE'/ ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1m

ENCRYPTION

DEFAULT STORAGE (ENCRYPT)

ENCRYPTION Clause:Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of the DEFAULT storage_clause in this statement in order for the tablespace to be encrypted. In addition, you must already have used ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY... To load the TDE master key into database memory for the duration of the instance, or establish a connection to the HSM to send the encrypted table and tablespace keys to the HSM and receive them back decrypted

Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of DEFAULT storage_clause in this statement so that the tablespace is encrypted. In addition, you must already use ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY... Load the TDE master key into database memory within the duration of the instance, or establish a connection with HSM to send encrypted table and tablespace keys to HSM and receive them to be decrypted

Open auto login wallet

The database will be opened automatically when it is restarted, and the command mode needs to be checked for official documents.

Open encrypted wallet

1. ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password"

It can be executed at any time.

2. ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"

Cannot be executed in the following two situations.

2.1The auto login wallet has been opened

2.2.2.The encrypted wallet has been opened, for example, ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" has been executed

Only close auto login wallet

SQL > ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

Close encrypted wallet

Turn off both auto login wallet and encrypted wallet at the same time

SQL > ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password"

Official summary of auto login wallet

Transparent Data Encryption (TDE) uses an auto login wallet only if it is available at the correct location (ENCRYPTION_WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" command.

Transparent data encryption (TDE) uses the automatic login wallet only if the correct location (ENCRYPTION_WALLET_LOCATION,WALLET_LOCATION or default wallet location) is available, and the SQL command to open the encrypted wallet has not been executed. If you are using an automatic login wallet, you cannot execute the command ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password".

A password is not required to close an auto-open wallet when only an auto-open wallet is present. The password is required to close an auto-open wallet when both an auto-open wallet and an encryption wallet are open. In this case, using CLOSE with a password will close the auto-open wallet and the encryption wallet.

When only auto-open 's wallet exists, you don't need to use a password to close auto-open 's wallet. When both auto-open 's wallet and encrypted wallet are open, you need a password to close auto-open 's wallet. In this case, using CLOSE with a password will close auto-open 's wallet and encrypt it.

The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.

The external security module can use wallets with automatic login enabled. These wallets remain open all the time. After the database instance is restarted, the security administrator does not need to reopen the wallet. If your environment does not need the additional security that must be explicitly opened for use with a wallet, you can use an automatic login wallet.

Auto login wallets are opened automatically and do not need to be opened explicitly.

No password is required to close an auto login wallet.

In case an auto login wallet needs to be closed, it can be closed with the following command:

SQL > ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

Automatic login wallet opens automatically and does not need to be opened explicitly.

No password is required to turn off the automatic login wallet.

If you need to turn off the automatic login wallet, you can turn off the automatic login wallet using the following command:

SQL > ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

Official summary of encrypted wallet

SQL > ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem"

The preceding command achieves the following:

If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.

If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.

The above command implements the following commands:

If there is no encrypted wallet in the specified directory, an encrypted wallet (ewallet.p12) is created, the wallet is opened, and the primary encryption key for TDE is created / recreated.

If an encrypted wallet exists in the specified directory, open the wallet and create / recreate the TDE's primary encryption key.

When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.

When you use the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command to create a master encryption key, TDE checks for the existence of a wallet at the default or specified location. If no wallet exists, the wallet is automatically created.

Use the following command to open the wallet containing the master encryption key:

SQL > ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem"

Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.

You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation.

Each time the database is closed, the Oracle wallet is closed. You can also explicitly close the wallet.

Before performing any encryption or decryption operations, you need to make sure that the Oracle wallet is open.

The phenomenon that comes down from the experiment (the result from top to bottom)

Edit the file sqlnet.ora

ENCRYPTION_WALLET_LOCATION=

(SOURCE= (METHOD=FILE) (METHOD_DATA=

(DIRECTORY=/app/wallet)

Or

WALLET_LOCATION=

(SOURCE= (METHOD=FILE) (METHOD_DATA=

(DIRECTORY=/app/wallet)

SQL > ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123"

ORA-28367: wallet does not exist

SQL > ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "oracle123"

System altered

SQL > ALTER SYSTEM SET ENCRYPTION WALLET close

ORA-28390: auto login wallet not open but encryption wallet may be open

SQL > ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123"

ORA-28354: Encryption wallet, auto login wallet, or HSM is already open

SQL > ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "oracle123"

System altered

SQL > ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123"

System altered

SQL > startup force

ORACLE instance started.

Total System Global Area 2471931904 bytes

Fixed Size 2255752 bytes

Variable Size 637535352 bytes

Database Buffers 1811939328 bytes

Redo Buffers 20201472 bytes

Database mounted.

ORA-28365: wallet is not open

SQL > ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123"

System altered.

SQL > alter database open

Database altered.

The answer to the question about the understanding of Encrypted Wallet encryption is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.