We need to export/import the TDE Master Encryption key when we are migrating TDE encrypted NON-CDB to the CDB database or migrating encrypted PDB to another CDB database.
How To Export TDE Master Encryption Key
When you are migrating PDB from one database to another and the source PDB is encrypted, then you need to export the keys in the source database in order for the PDB to successfully migrate. This can be done using the below command
alter session set container=TESTPDB ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '<location of export file>' IDENTIFIED BY "<wallet password>";
This command requires the wallet to be opened in password mode. Else it will fail.
You can also export the keys if the wallet is opened in Autologin mode. It requires a certain patch level. Also, We need to add FORCE KEYSTORE
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '<location of export file>' FORCE KEYSTORE IDENTIFIED BY "<wallet password>";
How To Import TDE Master Encryption Key
Now you import the exported keys into the target database after the Pluggable database is created
alter session set container=TESTPDB; ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "my_secret" from '<location of export file>' IDENTIFIED BY "<Wallet password" with backup;
This command requires the wallet to be opened in password mode. Else it will fail.
You can also import the keys if the wallet is opened in Autologin mode. But It requires a certain patch level. We also need to add FORCE KEYSTORE
alter session set container=TESTPDB;
ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "my_secret" from '<location of export file>' FORCE KEYSTORE IDENTIFIED BY "<Wallet password" with backup;
I hope this is clear and helpful
Related Articles
How To Restore TDE Wallet Files From Backup in Oracle Database
how to check if oracle database is encrypted
TDE encryption in Oracle 12c step by step
TDE encryption in oracle 11g step by step
Leave a Reply