Skip to main content
Skip table of contents

Provisioning a TDE (Transparent Data Encryption) enabled VDB

Overview

This topic describes how to provision a VDB from an encrypted database. The Delphix Engine supports provisioning from a dSource linked to a physical database that has been encrypted with Oracle's Transparent Database Encryption (TDE), which can be used to encrypt columns or tablespaces.

The Delphix engine supports provisioning from a dSource with an encrypted system tablespace in a non-multitenant configuration. The VDB’s wallet on the target environment must include an auto-login wallet. Local auto-login wallets are not supported for this configuration.

Provisioning a VDB from an encrypted dSource requires an auto-open wallet setup in the target environment, because the provisioning process requires the master key to be stored in the wallet file. This can be achieved by either copying the ewallet.p12 and cwallet.sso files to the target host ( to do this, the wallet must not be created with the “local” option ), or by creating a new auto-open wallet on the target, then exporting / importing the keys to this wallet.

When provisioning a VDB from an encrypted dSource, if the target environment has other databases that also use TDE, each database should use a different wallet. This also includes a scenario where the VDB has been provisioned back to the same environment as the encrypted dSource. Please check Oracle documentation on how to set up different wallet locations for different databases. For example, use $ORACLE_SID in the DIRECTORY clause of the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora.

CODE
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/wallets/$ORACLE_SID)))

Procedure

  1. Check for any encrypted columns or tablespaces on the source database by using these commands:

    CODE
    SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e
    WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';
  2. Copy wallet files from the source database to the target environment, and then configure the sqlnet.orafile on the target to point to the directory where the wallet is located.

    CODE
    $ more sqlnet.ora
    ENCRYPTION_WALLET_LOCATION=(SOURCE(METHOD=file) (METHOD_DATA=(DIRECTORY=/opt/oracle/oradata/nf/wallet)))
  3. If the source database does not use the auto-open wallet, create the auto-open wallet at the target environment.

    CODE
    $ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]
  4. Proceed with provisioning the VDB as described in Provisioning an Oracle VDB

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.