Home » Oracle » Oracle Database » How To Export -Import TDE Master Encryption Key

How To Export -Import TDE Master Encryption Key

We need to export/import the TDE Master Encryption key when we are migrating TDE encrypted NON-CDB to the CDB database or migrating encrypted PDB to another CDB database.

How To Export TDE Master Encryption Key

When you are migrating PDB from one database to another and the source PDB is encrypted, then you need to export the keys in the source database in order for the PDB to successfully migrate. This can be done using the below command

alter session set container=TESTPDB
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '<location of export file>'  IDENTIFIED BY "<wallet password>";

This command requires the wallet to be opened in password mode. Otherwise, it will fail.

You can also export the keys if the wallet is opened in Autologin mode. It requires a certain patch level. Also, We need to add FORCE KEYSTORE

ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '<location of export file>' FORCE KEYSTORE IDENTIFIED BY "<wallet password>";

How To Import TDE Master Encryption Key

Now you import the exported keys into the target database after the Pluggable database is created

alter session set container=TESTPDB;
ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "my_secret" from '<location of export file>'  IDENTIFIED BY "<Wallet password" with backup;

This command requires the wallet to be opened in password mode. Else it will fail.

You can also import the keys if the wallet is opened in Autologin mode. But It requires a certain patch level. We also need to add FORCE KEYSTORE

alter session set container=TESTPDB; 
ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "my_secret" from '<location of export file>' FORCE KEYSTORE IDENTIFIED BY "<Wallet password" with backup;

Key Concepts to Remember

  • TDE (Transparent Data Encryption): A technology that encrypts sensitive data stored in database files, allowing database operations to continue normally while ensuring data security.
  • TDE Wallet: A file-based storage mechanism used to hold the TDE master encryption key.
  • Master Encryption Key: The key used to encrypt and decrypt table keys or tablespace keys in Oracle Database.
  • Oracle Wallet: A PKCS #12 container used for storing multiple credentials, of which TDE Wallet is a specialized type.
See also  Enabling TLS in R12.1

I hope this is clear and helpful

Related Articles

How To Restore TDE Wallet Files From Backup in Oracle Database
how to check if oracle database is encrypted
TDE encryption in Oracle 12c step by step
TDE encryption in oracle 11g step by step
How to Configure Auto Login TDE Wallet
How to check encrypted tablespace in the Database

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top