TDE REKEY 不影响database Oracle TDE的配置

The database has flashback logging enabled and is using TDE. After resetting master key A to key B through REKEY and operating for a period. Then flashback the database to before the REKEY, what happens to the master key? Which key is correct after flashback database?

Changes

Rekey of the TDE master key after a GRP was created for flashback.

Cause

We expect the values reverted to below after the flashback which has not happened.

SQL> select t.name, RAWTOHEX(x.mkid) mkeyid from v $tablespace t, x$ kcbtek x where t.ts#=x.ts# and t.ts#=0;

NAME MKEYID

SYSTEM FF85208F9E9B4F4ABF5F6D6CE1E16695 <=== Key before restore point

SQL> create restore point before_reskey guarantee flashback database;

Restore point created.

SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY xxx WITH BACKUP;

keystore altered.

SQL> select t.name, RAWTOHEX(x.mkid) mkeyid from v $tablespace t, x$ kcbtek x where t.ts#=x.ts# and t.ts#=0;

NAME MKEYID

SYSTEM CDAF40ADA26D4F78BFF21D75728D5727 <=== Key after rotation

SQL> shut immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL> startup mount;

ORACLE instance started.

Total System Global Area 4294967296 bytes

Fixed Size 2922264 bytes

Variable Size 2466253032 bytes

Database Buffers 1677721600 bytes

Redo Buffers 148070400 bytes

Database mounted.

SQL> flashback database to restore point before_restkey ;

Flashback complete.

SQL> select t.name, RAWTOHEX(x.mkid) mkeyid from v $tablespace t, x$ kcbtek x where t.ts#=x.ts# and t.ts#=0;

NAME MKEYID

SYSTEM CDAF40ADA26D4F78BFF21D75728D5727 <== We did the flashback , but the key is not reflecting the old value

SQL> alter database open resetlogs;

Database altered.

SQL> select t.name, RAWTOHEX(x.mkid) mkeyid from v $tablespace t, x$ kcbtek x where t.ts#=x.ts# and t.ts#=0;

NAME MKEYID

SYSTEM CDAF40ADA26D4F78BFF21D75728D5727

Solution

This is expected behavior per design and not a bug. Flashback does not revert tablespace keys, which includes system tablespace key stored in the datafile header and the copy stored in the control file. Keys in enc$ will be reverted because it is stored in the dictionary.

In the test scenario, say after the first key the database uses master key A. Create a guaranteed restore point and rekey to master key B. At this point, both encrypted tablespaces and encrypted columns are (indirectly) protected by master key B.

Flashback to guaranteed restore point, encrypted columns are reverted to be protected by master key A, but encrypted tablespaces are still protected by master key B. Note it is less desirable that the master key gets reverted to key A for columns because the newer key is always assumed to be better (key A's lifetime was longer so more chances of being exposed).

Open reset logs and rekey to master key C, now both encrypted tablespaces and encrypted columns are protected by master key C.

This is the same behavior since 11.1, and becomes particularly important in 12.2 when we support tablespace level rekey.

What is the impact of the Database Media Recovery and Flashback Database operations on the Oracle TDE wallet?

Solution

These operations don't have any impact on the TDE wallet. More precisely:

if performing a Database Media Recovery and within the recovery period there is a master key change, this operation will not be reflected in the database wallet. The wallet will be left unchanged and only the master keys existing in the wallet at recovery start will be present at recovery end. If a master key change has been done in the database within the recovery interval and the existing wallet does not include the master key generated at that time, the recovery will fail.
if performing a Flashback Database and a master key change has been done in the covered interval of time, the operation will not be reflected in the wallet, ie all the master keys in the wallet before the flashback will be present at command completion.
the direct consequence of the above is that database media recovery cannot be used to recover wallet losses, when there are older wallet copies, if the master key has been changed within the interval between the wallet backup and the wallet loss. The recovery can be performed in this case until the moment when the master key has been changed. In this scenario if the latest wallet is not available after a rekey operation and the database needs to be recovered until the moment of the rekey operation, make sure to also restore a controlfile that was backed up before the latest rekey operation, since the latest controlfile has info about an unavailable master key which will lead to ORA-28374 errors during recovery.

To prove the above information, the following test has been done:

Impact of database recovery on the oracle wallet.

create a database
set the database in archivelog and flashback mode

mkdir $ORACLE_BASE/admin/$ ORACLE_SID/{wallet,archive,backup}

mkdir $ORACLE_BASE/admin/$ ORACLE_SID/backup/wallet

SQL> sqlplus "/ as sysdba"

SQL> alter system set log_archive_dest_1='location=<directory>';

SQL> alter system set log_archive_format='archive_<SID>%t%s_%r.dbf' scope=spfile;

SQL> shutdown immediate

SQL> startup mount

SQL> alter database archivelog;

SQL> alter database flashback on;

SQL> alter database open;

enable TDE

SQL> alter system set encryption key identified by "<wallet password>";

check wallet contents

cd $ORACLE_BASE/admin/$ ORACLE_SID/wallet

mkstore -wrl . -list

Enter wallet password:

Oracle Secret Store entries:

ORACLE.SECURITY.DB.ENCRYPTION.<key 1>

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY

ORACLE.SECURITY.TS.ENCRYPTION.<key 2>

create an encrypted tablespace and an encrypted table and add some initial data:

SQL> create user <user> identified by <password>;

SQL> grant dba to <user>;

SQL> create table <user>.<table>(id number encrypt);

SQL> insert into <user>.<table> values(1);

SQL> commit;

SQL> create tablespace <tablespace name> datafile '<directory>/<datafile name>' size 10m
encryption using '3des168'

default storage(encrypt);

SQL> create table <user>.<table 1>(id number) tablespace <tablespace name>;

SQL> insert into <user>.<table 1> values(1);

SQL> commit;

take a database backup and a wallet backup

rman target /

RMAN> configure channel device type disk format '<backup location>';

RMAN> backup database plus archivelog;

SQL> alter system set wallet close identified by "<wallet password>";

cp $ORACLE_BASE/admin/$ ORACLE_SID/wallet/* $ORACLE_BASE/admin/$ ORACLE_SID/backup/wallet/ewallet.p12.1

recreate master key and add some more data

SQL> alter system set encryption key identified by "<wallet password>";

SQL> insert into <user>.<table> values(2);

SQL> commit;

SQL> insert into <user>.<table 1> values(2);

SQL> commit;

check wallet contents

mkstore -wrl . -list

Enter wallet password:

Oracle Secret Store entries:

ORACLE.SECURITY.DB.ENCRYPTION.<key 3>

ORACLE.SECURITY.DB.ENCRYPTION.<key 1>

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY

ORACLE.SECURITY.TS.ENCRYPTION.<key 2>

make a new wallet backup, as ewallet.p12.2

cp $ORACLE_BASE/admin/$ ORACLE_SID/wallet/* $ORACLE_BASE/admin/$ ORACLE_SID/backup/wallet/ewallet.p12.2

remove the current database and the wallet.

SQL> shutdown immediate

rm <datfile created in step 5>
rm $ORACLE_BASE/admin/$ ORACLE_SID/wallet/ewallet.p12---就一个文件？

restore the backup and the first wallet and recover to present time.

cp $ORACLE_BASE/admin/$ ORACLE_SID/backup/wallet/ewallet.p12.1 $ORACLE_BASE/admin/$ ORACLE_SID/wallet/ewallet.p12

RMAN> restore database;

SQL> alter system set wallet open identified by "<wallet password>";

RMAN> recover database;

Fails with:

Starting recover at 03-JUN-11

using channel ORA_DISK_1

starting media recovery

media recovery failed

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of recover command at 06/03/2011 07:14:31

ORA-00283: recovery session canceled due to errors

RMAN-11003: failure during parse/execution of SQL statement: alter database recover if needed

start

ORA-00283: recovery session canceled due to errors

ORA-01110: data file 1: '<datafile name>'
ORA-28374: typed master key not found in wallet

As seen above, the database media recovery didn't affect the wallet.

restore the second wallet, including the latest master key:

SQL> alter system set wallet close identified by "<wallet password>";

cp $ORACLE_BASE/admin/$ ORACLE_SID/backup/wallet/ewallet.p12.2 $ORACLE_BASE/admin/$ ORACLE_SID/wallet/ewallet.p12

SQL> alter system set wallet open identified by "<wallet password>";

RMAN> recover database;

Starting recover at 03-JUN-11

using target database control file instead of recovery catalog

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=192 device type=DISK

starting media recovery

media recovery complete, elapsed time: 00:00:01

The solution, as seen above, is to use the latest wallet version.

反正不用恢复旧的wallet，新的wallet包含了之前的所有key

check the table contents:

SQL> alter database open;

SQL> select * from <user>.<table>;

SQL> select * from <user>.<table 1>;