Skip to main content
Skip table of contents

TDE-enabled vPDB requirements

Oracle recommends that the keystore be stored on a separate disk from the datafiles. In accordance with this recommendation, neither keystores nor exported keyfiles are stored on Delphix storage. Rather, they are placed on customer storage. Exported keyfiles generated by Delphix are stored in the artifact directory under the keystores root directory, while keystores generated by Delphix are stored in the location specified by sqlnet.ora or WALLET_ROOT initialization parameter of the target container database. It is the customer's responsibility to maintain these storage locations and ensure they are backed up as needed, just like database files. If the keystore or exported keyfile is lost, the data in the associated vPDB may not be recoverable and the vPDB will cease to operate.

Basic requirements

  • Migration of a TDE-enabled vPDB from one CDB to another requires manual steps that must be completed for migrate vPDB to be successful and to support refresh and rewind operations on the migrated vPDB.

  • The dSource from which the initial provision is done must be encrypted when it is linked. If a dSource is encrypted after it is linked, a full backup must be taken and the resulting new dSource snapshot should be used for provisioning any TDE enabled vPDBs, otherwise provisioning will fail with ORA-28311: Oracle encrypted data block not encrypted (file # 1, block # 520).

  • There is currently no supported transition path from existing TDE-enabled vPDBs using the TDE workaround to the full product solution. The TDE workaround continues to be supported for approved customers.

  • Delphix does not support Isolated keystore mode. In isolated mode, a pluggable database (PDB) has its own keystore and the keystore and its TDE master encryption keys can be managed from the PDB only. Only United keystore mode is supported.

  • For linked provisions, the target container database should have an autologin keystore configured. For a cluster target, the autologin keystore is shared. For vCDB provisions, Delphix will create an autologin keystore when configuring the vCDB keystore.

Delphix does not support converting an unencrypted vPDB/vCDB into an encrypted one. These will need to be recreated from a new snapshot that is generated after taking a full backup of the corresponding PDB dSource.

Additional requirements for TDE software keystore based databases

  • The Oracle version must be 12cR2 or higher (Oracle 12cR1 is not supported).

  • Parent keystores of the source PDB must not be on ASM storage. Target CDB keystores, however, can be on ASM storage.

  • Only software keystores on the same host as the database files are supported.

Additional requirements for TDE OKV-enabled databases

  • The Oracle database version must be 18c or higher. 

  • To link a TDE OKV-enabled dSource, ensure that the OKV home path is set in the source environment added to the Delphix Continuous Data engine. For more information, refer to Adding or Editing the OKV Home.

  • The target database endpoint must have at least Read access to the parent database endpoint master encryption keys.

  • When provisioning a virtual pluggable database (vPDB) from a TDE OKV-enabled dSource snapshot, set the OKV Home path in the target environment added to the Delphix Continuous Data Engine. For more information, refer to Adding or Editing the OKV Home.

  • TDE External Key Manager credential must be set either at the target environment level or at the container database (CDB) level in the target environment added to the Delphix Continuous Data Engine. For more information, refer to Adding or Editing the TDE External Key Manager Credential.

Additional requirements for TDE HSM-enabled databases

  • The Oracle version must be 18c or higher. 

  • The target domain must have at least read access to the parent domain master encryption keys.

  • When provisioning a virtual pluggable database from a TDE HSM-enabled dSource, set the TDE External Key Manager Credential either at the target environment level or at the container database (CDB) level in the target environment added to the Delphix Continuous Data Engine. In case of Thales CipherTrust Manager, the TDE External Key Manager Credential must adhere to the pattern domain:username:password. In the case of the default domain, it must be specified as username:password. For more information, refer to Adding or Editing the TDE External Key Manager Credential.

The TDE External Key Manager credential may differ for other HSM providers. Refer to the specific HSM provider documentation for details on how the TDE External Key Manager credential should be specified.

Some or all of these restrictions may be relaxed in future versions of Delphix.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.