Terminology
The following terms are used throughout TDE documentation and are summarized here for clarity. Note that the first occurrence of these terms may be on other documentation pages.
Term | Definition |
---|---|
Keystore/wallet | File found on the Oracle host which stores the keys used to encrypt and decrypt the internal table keys in a database. Every keystore has a password which is set when it is first created, and must be supplied for operations on it. |
Parent keystore | Keystore with the keys used to encrypt the dSource PDB files. |
Target keystore | Keystore for the target CDB into which the TDE-enabled vPDB is plugged. |
Linked CDB Provision | Provisioning to physical CDBs that are configured to use TDE, and are part of the target environment added in Delphix Continuous Data Engine. |
New Virtual CDB (vCDB) Provision | During the provisioning workflow for provisioning a new vPDB to a new vCDB, Delphix Continuous Data Engine will create a vCDB in the target environment and configure TDE. |
Existing Virtual CDB (vCDB) Provision | Provisioning to existing vCDBs that are configured to use TDE, and are part of the target environment added in Delphix Continuous Data Engine. |
Auxiliary container database (CDB) | Provisioning an Oracle vPDB requires running recovery to bring the snapshotted datafiles into a consistent state. This needs to be done in the context of a container database, which is created on the target system. After recovery is complete, the vPDB is unplugged and plugged into the target container, and the auxiliary container is deleted. |
Artifact directory | Directory on the target system (not on Delphix Continuous Data Engine storage) which stores keys needed to support Delphix Continuous Data Engine workflows on TDE-enabled vPDBs. It is located under the keystores root directory. |
Exported keyfile | File located on the target Oracle host which contains keys that have been exported from the keystore. It is encrypted with a secret that is specified when it is exported. The exported keyfile itself cannot be used as a keystore, but its contents can be imported into a new keystore. |
Key rotation | Process for changing the master encryption key in the keystore via the |
Keyfile secret | Password used to encrypt an exported keyfile. |
Keystores root directory | User-specified location on the target system under which all TDE related artifacts such as keystores and exported keyfiles created by Delphix Continuous Data Engine are stored. This includes both the artifact directories used for vPDBs and temporary directories used for auxiliary CDB keystores. |
Target Domain | A logical unit in CipherTrust Manager, contains the master encryption keys of target CDB into which the TDE-enabled vPDB is plugged. |
Parent Domain | A logical unit in CipherTrust Manager, contains the master encryption keys used to encrypt the dSource PDB files. |
TDE External Key Manager Credential | The credentials used to access the master encryption keys of the External Key Manager. |
TDE Encryption Secret | A passphrase or key that serves as an additional layer of protection for your exported master encryption key and/or transport secret during |
OKV Home | Oracle Key Vault Home. The installation directory path of the |
Target Endpoint | Oracle database, registered and enrolled with OKV, contains the target CDB into which the TDE-enabled vPDB is plugged. |
Parent Endpoint | Oracle database, registered and enrolled with OKV, contains keys used to encrypt the dSource PDB files. |