Thursday, May 26, 2011

How do I change (rotate, re-key) the encryption keys?

  1. How do I change (rotate, re-key) the encryption keys?

    Table C: Encryption re-key capabilities (Oracle Wallet or HSM)
    Database Release TDE Column Encryption TDE Tablespace Encryption
    Master encryption key Individual table keys Master encryption key Individual tablespace keys
    10gR2 Yes Yes n/a n/a
    11gR1 Yes Yes No(*) No(*)
    11gR2 Yes Yes Yes No(*)

    (*): Content can be moved from one encrypted tablespace to a new encrypted tablespace, where it is encrypted with a new tablespace key.

    TDE uses a two tier key mechanism. When TDE column encryption is applied to an existing application table column, a new table key is created and stored in the Oracle data dictionary. When TDE tablespace encryption is used, the individual tablespace keys are stored in the header of the underlying OS file(s). The table and tablespace keys are encrypted using the TDE master encryption key. The master encryption key is generated when TDE is initialized and stored outside the database in the Oracle Wallet or an HSM device (starting with Oracle 11gR1). Both the master key and table keys can be independently changed (rotated, re-keyed) based on company security policies. Tablespace keys cannot be re-keyed (rotated); work around is to move the data into a new encrypted tablespace. Oracle recommends backing up the wallet before and after each master key change.

    Changing the wallet password does not re-key the TDE master encryption key.



[oracle@vmxdb01 ~]$
[oracle@vmxdb01 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Thu May 26 08:18:08 2011

Copyright (c) 1982, 2010, Oracle. All rights reserved.

Connected to an idle instance.

SQL> startup
ORACLE instance started.

Total System Global Area 627732480 bytes
Fixed Size 1345992 bytes
Variable Size 452986424 bytes
Database Buffers 167772160 bytes
Redo Buffers 5627904 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u01/app/oracle/product/11.2.0.2/db_1/wallet
OPEN


SQL> select * from v$encrypted_tablespaces;

TS# ENCRYPT ENC
---------- ------- ---
ENCRYTPEDKEY
----------------------------------------------------------------
MASTERKEYID BLOCKS_ENCRYPTED BLOCKS_DECRYPTED
-------------------------------- ---------------- ----------------
8 AES256 YES
7CC0E110A3368FC76D4F80F5D3036E61C4CC16244E5B883E4AA167664D08C29C
0CBD900BD9E24FE7BFA2A120F1353E0A 0 0


SQL> alter system set encryption key identified by Never4get;
alter system set encryption key identified by Never4get
*
ERROR at line 1:
ORA-28353: failed to open wallet


SQL> alter system set encryption key identified by "Never4get";

System altered.

SQL> select * from v$encrypted_tablespaces;

TS# ENCRYPT ENC
---------- ------- ---
ENCRYTPEDKEY
----------------------------------------------------------------
MASTERKEYID BLOCKS_ENCRYPTED BLOCKS_DECRYPTED
-------------------------------- ---------------- ----------------
8 AES256 YES
305CE8652C4DC4FEC92A8C1C28E1F4925E40330B76C9A7E0F208CCEBA2256CD4
2270620BA7814F3FBFD0C31C42BABF03 0 0


SQL> select count(*) from e;

COUNT(*)
----------
107