Applies To
All Users
Summary
It Possible To Migrate The Encryption Keys From A Software Wallet To A HSM And Viceversa ?
Solution
Currently only the migration of the encryption keys from an Oracle wallet to a HSM device is possible. The reverse migration from HSM to wallet is not supported before 12.1.
The procedure to migrate the Encryption keys from a wallet to a HSM is :
- Set the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM)
(METHOD_DATA=
(DIRECTORY=/oracle/TDE_WALLETS/$ORACLE_SID)
)
)
- Copy the HSM PKCS#11 library to the path specified by the vendor:
/opt/oracle/extapi/32,64/hsm/{VENDOR}/{VERSION}/libapiname.ext
- Run the following statement :
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "HSMuser:HSMpassword" MIGRATE USING "wallet_password";
Reverse Migration from HSM device to Oracle Wallet:
-
In 11.2.0 4 : Apply patch 20181737
-
Run : ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "wallet_password" REVERSE MIGRATE USING "HSMuser:HSMpassword";
Note: Starting from 12.1 DB, reverse migration from HSM to Oracle Software wallet is possible.
Note: In 11.2.0.4 DB, if you are facing ORA-7445 KZTHSMGMK() error while removing HSM wallet and re-doing the TDE configuration using Oracle wallet, then apply patch 20181737
Attachments :