Skip to main content
Skip table of contents

Provisioning a VDB from an encrypted Oracle database

Overview

This topic describes how to provision a VDB from an encrypted database. The Delphix Engine supports provisioning from a dSource linked to a physical database that has been encrypted with Oracle's Transparent Database Encryption (TDE), which can be used to encrypt columns or tablespaces.

The Delphix engine supports provisioning from a dSource with an encrypted system tablespace in a non-multitenant configuration. The VDB’s wallet on the target environment must include an auto-login wallet. Local auto-login wallets are not supported for this configuration.

Provisioning a VDB from an encrypted dSource requires an auto-open wallet setup in the target environment, because the provisioning process requires the master key to be stored in the wallet file. On the dSource, export the keys and copy the export file (both ewallet.p12 and cwallet.sso)to the VDB server. On the VDB server, create an empty wallet and import the keys into the wallet, then set the key to be used.

When provisioning a VDB from an encrypted dSource, if the target environment has other databases that also use TDE, each database should use a different wallet. This also includes a scenario where the VDB has been provisioned back to the same environment as the encrypted dSource. Please check Oracle documentation on how to set up different wallet locations for different databases. For example, use $ORACLE_SID in the DIRECTORY clause of the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora.

CODE 
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/wallets/$ORACLE_SID)))

Procedure

  1. Check for any encrypted columns or tablespaces on the source database by using these commands:

    CODE 
    SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e
WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';

  2. Copy wallet files from the source database to the target environment, and then configure the sqlnet.orafile on the target to point to the directory where the wallet is located.

    CODE 
    $ more sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE(METHOD=file) (METHOD_DATA=(DIRECTORY=/opt/oracle/oradata/nf/wallet)))

  3. If the source database does not use the auto-open wallet, create the auto-open wallet at the target environment.

    CODE 
    $ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]

  4. Proceed with provisioning the VDB as described in Provisioning an Oracle VDB

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close