ADDIS ABABA INSTITUTE

OF TECHNOLOGY
Data at-rest and in-transit Encryption – Configuration Manual

Group Members

Section 2
Table of Contents
Data at rest Encryption....................................................................................................................2
Data in transit encryption.................................................................................................................4
Data at rest Encryption

Encrypting data at rest is undertaken to prohibit “behind the scenes” snooping for information.
When the data at rest is encrypted, even if a hacker surreptitiously gains access to the data behind
the scenes, without the decryption key the data will be meaningless. Encryption at Rest provides
security for data in files that are saved on disk (or at rest) by encrypting that data.
Using Oracle Transparent Data Encryption (TDE) technology, Encryption at Rest encrypts data
to prevent access from unauthorized users.
TDE Configuration
1. Configure wallet root
 INIT.ORA / SQLNET.ORA
 Keystore Type
2. Create the keystore
3. Open the keystore
 CDB
 one or more PDBs
 ALL
4. Create the master key
 CDB
 PDBs (must be open)
5. Optional: create autologin keystore
6. Encrypt columns, tablespaces or whole database

Step 1: Configure the Wallet Root

mkdir -p ${ORACLE_BASE}/admin/${ORACLE_SID}/wallet/tde
sqlplus / as sysdba
create pfile='${ORACLE_BASE}/admin/${ORACLE_SID}/pfile/${ORACLE_SID}-`date +
%F`. ora' from spfile;
alter system set WALLET_ROOT="${ORACLE_BASE}/admin/${ORACLE_SID}/wallet"
scope=spfile;
shutdown immediate
startup
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE";
Step 2: Create the password protected key store
sqlplus / as sysdba
administer key management
create keystore '${ORACLE_BASE}/admin/${ORACLE_SID}/wallet/tde' identified by
welcome1;
set lines 300
column WRL_PARAMETER format a40
select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v\$encryption_wallet;
Step 3: Open the key store CDB & PDB
sqlplus / as sysdba
alter pluggable database all open;
administer key management set keystore open force keystore identified by welcome1 container =
all;
set lines 300
column WRL_PARAMETER format a40
select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v\$encryption_wallet;
Step 4: Create the master key
4.1: Create the master key for the container database
sqlplus / as sysdba
administer key management set key identified by welcome1 with backup;
set lines 300
column WRL_PARAMETER format a40
column NAME format a10
select WRL_TYPE, WRL_PARAMETER, STATUS, NAME
from v\$encryption_wallet a, v\$pdbs b
where a.con_id = b.con_id (+);
4.2: Create the master key for PDB
sqlplus / as sysdba
alter session set container = PDB01;
administer key management set key identified by welcome1 with backup;
set lines 300
column WRL_PARAMETER format a40
column NAME format a10
select WRL_TYPE, WRL_PARAMETER, STATUS, NAME
from v\$encryption_wallet a, v\$pdbs b
where a.con_id = b.con_id (+);
Step 5: Create an autologin keystore
sqlplus / as sysdba
administer key management create auto_login keystore
from keystore '${ORACLE_BASE}/admin/${ORACLE_SID}/wallet/tde'
identified by welcome1;
Step 6: Encrypt tablespaces
6.1: Encrypt tablespaces online (CDB)
sqlplus / as sysdba
alter tablespace users encryption online encrypt;
select TABLESPACE_NAME, STATUS, ENCRYPTED from DBA_TABLESPACES;
6.2: Encrypt tablespaces online (PDB)
sqlplus / as sysdba
alter session set container = PDB01;
select TABLESPACE_NAME, STATUS, ENCRYPTED from DBA_TABLESPACES;
alter tablespace users encryption online encrypt;
select TABLESPACE_NAME, STATUS, ENCRYPTED from DBA_TABLESPACES;

Data in transit encryption

Oracle Database provides data network encryption and integrity to ensure that data is secure as it
travels across the network. The purpose of a secure cryptosystem is to convert plaintext data into
unintelligible ciphertext based on a key, in such a way that it is very hard (computationally
infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the
correct key.

Encryption Configuration using Oracle Net Manager

1. Start oracle net manager
2. Expand Oracle Net Configuration, and from Local, select Profile.
3. From the Naming list, select Network Security. The Network Security tabbed window
appears.
4. Select the encryption tab.
5. Select CLIENT or SERVER option from the Encryption box.
6. From the Encryption Type list, select one of the following:

 Requested
 Required
 Accepted
 Rejected

7. Select an encryption algorithm in the Available Methods list. Move it to the Selected

Methods list by choosing the right arrow (>). Repeat for each additional method you
want to use.
8. Select File, Save Network Configuration. The sqlnet.ora file is updated.
9. Repeat this procedure to configure encryption on the other system. The sqlnet.ora file on
the two systems should contain the following entries:

 On the server:

SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required]

SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,
valid_encryption_algorithm])

 On the client:

SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required]

SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm
[,valid_encryption_algorithm])