This topic describes how to provision a VDB from an encrypted database. The Delphix Engine supports provisioning from a dSource linked to a physical database that has been encrypted with Oracle's Transparent Database Encryption (TDE), which can be used to encrypt columns or tablespaces.
The Delphix engine supports provisioning from a dSource with an encrypted system tablespace in a non-multitenant configuration. The VDB’s wallet on the target environment must include an auto-login wallet. Local auto-login wallets are not supported for this configuration.
Provisioning a VDB from an encrypted dSource requires an auto-open wallet setup in the target environment, because the provisioning process requires the master key to be stored in the wallet file. On the dSource, export the keys and copy the export file (both
cwallet.sso)to the VDB server. On the VDB server, create an empty wallet and import the keys into the wallet, then set the key to be used.
When provisioning a VDB from an encrypted dSource, if the target environment has other databases that also use TDE, each database should use a different wallet. This also includes a scenario where the VDB has been provisioned back to the same environment as the encrypted dSource. Please check Oracle documentation on how to set up different wallet locations for different databases. For example, use
$ORACLE_SID in the
DIRECTORY clause of the
ENCRYPTION_WALLET_LOCATION parameter in
Check for any encrypted columns or tablespaces on the source database by using these commands:CODE
SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';
Copy wallet files from the source database to the target environment, and then configure the
sqlnet.orafile on the target to point to the directory where the wallet is located.CODE
$ more sqlnet.ora ENCRYPTION_WALLET_LOCATION=(SOURCE(METHOD=file) (METHOD_DATA=(DIRECTORY=/opt/oracle/oradata/nf/wallet)))
If the source database does not use the auto-open wallet, create the auto-open wallet at the target environment.CODE
$ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]
Proceed with provisioning the VDB as described in Provisioning an Oracle VDB