Enabling TDE on a Non-Encrypted Oracle Database using Scripts
This section describes how to enable TDE if the database is not previously encrypted. If your database is already encrypted using software wallet, then see Migrating from Software Wallet using Scripts.
The script encrypt.sh that you downloaded with the TDE script bundle is used to enable encryption of the Oracle database. This script must be run as the Oracle user.
Usage: encrypt.sh {command} [<config file>]
Commands:
help: Show this help message
getenv: Get environment variables for TDE scripts
setenv: Set environment variables for TDE scripts
setsid <ORACLE_SID>: Select environment variables for ORACLE_SID
status: Show current TDE status and configuration
bounce: Restart the database
report: Show TDE report for all databases on this server
encrypt: Enable TDE with KeyControl
rotate_key: Rotate TDE master key using KeyControl
migrate: Migrate from Software Wallet to KeyControl
reverse_migrate: Reverse migration from KeyControl to Software Wallet
setup_auto_login: Configure auto login for KeyControl
remove_auto_login: Remove auto login wallet
open_hsm_keystore: Open HSM (KeyControl) KeyStore
close_hsm_keystore: Close HSM (KeyControl) KeyStore
open_hsm_keystore_and_db: Open HSM (KeyControl) KeyStore and database
standby setup: Setup TDE parameters on Data Guard standby server
standby setup_auto_login: Configure auto login on Data Guard standby server
standby remove_auto_login: Remove auto login wallet on Data Guard standby server
standby open_hsm_keystore: Open HSM (KeyControl) KeyStore on Data Guard standby server
standby close_hsm_keystore: Close HSM (KeyControl) KeyStore on Data Guard standby server
standby open_hsm_keystore_and_db: Open HSM (KeyControl) KeyStore and database
standby stop_redo_log_apply Stop managed recovery process
standby restart_redo_log_apply Restart managed recovery process
standby redo_log_status Check status of managed recovery process
<config file>: Path to the configuration file (default: entrust.conf)
To enable TDE:
-
Set the environment.
The Oracle administrator needs to provide the following parameters to set the environment. This operation creates a file called <dbset_name>.env in the script's directory. The actual name will usually be oracle.env.
./encrypt.sh setenv
For example:
[oracle@oracle19cn1 ~]$ ./encrypt.sh setenv Using configuration file: ./entrust.conf Using environment file: ./oracle.env ORACLE_BASE (/u01/app/oracle) ? ORACLE_HOME (/u01/app/oracle/product/19c/db_1_rac) ? Software Wallet Password (************) ? Database Unique Name (orcl) ? Database SID (orcl1) ? Successfully set environment variables for TDE scripts in ./oracle.env
-
Check the database status.
After setting the environment variables, the administrator should check the status to view the current state of the Oracle database server.
./encrypt.sh status
-
Encrypt the database.
Run the following command to encrypt the database set that you specified.
./encrypt.sh encrypt
-
Check the database status again.
The administrator should recheck the status to ensure that the database is encrypted.
./encrypt.sh status
Example:
[oracle@oracle19cn1 ~]$ ./encrypt.sh status Using configuration file: ./entrust.conf Using environment file: ./oracle.env Using access token file: /opt/oracle/entrust/oracle.conf Database orcl is already running Instance orcl1 is running on node oracle19cn1 Instance orcl2 is running on node oracle19cn2b Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Database Role: PRIMARY db_unique_name ------- orcl Multitenant database ------- YES Database type ------- Oracle RAC Number of instances ------- 2 Active instances ------- 2 tde_configuration ------- KEYSTORE_CONFIGURATION=HSM|FILE db_create_file_dest ------- +DATA Current wallet_root ------- +DATA/ORCL/wallet Calculated wallet_root ------- +DATA/ORCL/wallet Database encryption wallet ------- HSM Auto Login enabled ------- YES Database state ------------------------- Database Name OPEN_MODE DATABASE_ROLE Switchover Status --------------- -------------------- ---------------- ------------------------- ORCL READ WRITE PRIMARY NOT ALLOWED SHOW PDBs ------------------------- PDB Name CON_ID OPEN_MODE RES --------------- ------ ---------- --- PDB$SEED 2 READ ONLY NO PDB 3 MOUNTED PDB2 4 MOUNTED Encryption Wallets ------------------------- Encryption Wallets for instance: 1 PDB Name Status WRL_TYPE WALLET_OR Wallet Type KEYSTORE WRL_PARAMETER ---------- -------------------- ---------- --------- ------------ -------- ---------------------------------------- CDB$ROOT OPEN HSM PRIMARY HSM NONE PDB OPEN HSM PRIMARY HSM UNITED PDB2 OPEN HSM PRIMARY HSM UNITED CDB$ROOT OPEN ASM SECONDARY AUTOLOGIN NONE +DATA/ORCL/wallet/tde/ PDB OPEN ASM SECONDARY AUTOLOGIN UNITED PDB2 OPEN ASM SECONDARY AUTOLOGIN UNITED PDB$SEED OPEN ASM SINGLE AUTOLOGIN UNITED PDB$SEED OPEN HSM SINGLE HSM UNITED Encryption Wallets for instance: 2 PDB Name Status WRL_TYPE WALLET_OR Wallet Type KEYSTORE WRL_PARAMETER ---------- -------------------- ---------- --------- ------------ -------- ---------------------------------------- CDB$ROOT OPEN HSM PRIMARY HSM NONE PDB OPEN HSM PRIMARY HSM UNITED PDB2 OPEN HSM PRIMARY HSM UNITED CDB$ROOT OPEN ASM SECONDARY AUTOLOGIN NONE +DATA/ORCL/wallet/tde/ PDB OPEN ASM SECONDARY AUTOLOGIN UNITED PDB2 OPEN ASM SECONDARY AUTOLOGIN UNITED PDB$SEED OPEN ASM SINGLE AUTOLOGIN UNITED PDB$SEED OPEN HSM SINGLE HSM UNITED Database master encryption keys ------------------------- PDB Name Master Key ID MKID base64 --------------- ----------------------------------- ------------------------- CDB$ROOT 5915AFE732974FDCBF67BB1628974E84 AVkVr+cyl0/cv2e7FiiXToQ= PDB$SEED 00000000000000000000000000000000 AQAAAAAAAAAAAAAAAAAAAAA= PDB 6ACD2A03E83A4F3BBFDC2F6EA1FADC49 AWrNKgPoOk87v9wvbqH63Ek= PDB2 2AAF9C18FC2E4F62BF9DF8786C58E724 ASqvnBj8Lk9iv534eGxY5yQ= TDE Master keys in open wallets ------------------------------- PDB Name Master Key ID TAG CON_ID Keystore Type Origin Key Creation Time Activation Time --------------- ------------------------------------ -------------------- ---------- ------------------ ---------- ------------------ ---------------- PDB2 062AAF9C18FC2E4F62BF9DF8786C58E724 ORCL_082025062919 4 SOFTWARE KEYSTORE LOCAL 08/20/2025 06:31 08/20/2025 06:31 CDB$ROOT 065915AFE732974FDCBF67BB1628974E84 ORCL_082025062919 1 SOFTWARE KEYSTORE LOCAL 08/20/2025 06:30 08/20/2025 06:30 PDB 066ACD2A03E83A4F3BBFDC2F6EA1FADC49 ORCL_082025062919 3 SOFTWARE KEYSTORE LOCAL 08/20/2025 06:30 08/20/2025 06:30 CDB$ROOT 062C19E6EDB47C4F8EBF86920158C81FD0 1 HSM LOCAL 08/20/2025 06:06 08/20/2025 06:06 PDB 06CB0E514DC64C4F43BF29FE846D8CB92D 3 HSM LOCAL 08/20/2025 06:06 08/20/2025 06:06 PDB2 0669595E41E8734F64BF239BD19297A849 4 HSM LOCAL 08/20/2025 06:06 08/20/2025 06:06 Services ------------------------- orclXDB pdb pdb2 SYS$BACKGROUND SYS$USERS orcl.db.com Datafiles ------------------------- +DATA/ORCL/DATAFILE/system.289.1205374577 +DATA/ORCL/DATAFILE/sysaux.290.1205374611 +DATA/ORCL/DATAFILE/undotbs1.291.1205374637 +DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/system.302.1205375527 +DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/sysaux.303.1205375527 +DATA/ORCL/DATAFILE/users.292.1205374637 +DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/undotbs1.304.1205375527 +DATA/ORCL/38F0B2B59DDE65C9E06333E5010AD3FB/DATAFILE/system.308.1205378809 +DATA/ORCL/38F0B2B59DDE65C9E06333E5010AD3FB/DATAFILE/sysaux.309.1205378809 +DATA/ORCL/38F0B2B59DDE65C9E06333E5010AD3FB/DATAFILE/users.311.1205378823 +DATA/ORCL/DATAFILE/undotbs2.315.1205453085 +DATA/ORCL/38F0B2B59DDE65C9E06333E5010AD3FB/DATAFILE/undo_2.317.1205454319 +DATA/ORCL/DATAFILE/my_ts.367.1207804451 Wallet files ------------------------- +DATA/ORCL/wallet/tde/cwallet.sso +DATA/ORCL/wallet/tde/cwallet_072925082421.sso +DATA/ORCL/wallet/tde/ewallet.p12 +DATA/ORCL/wallet/tde/ewallet_2025072914472796.p12 +DATA/ORCL/wallet/tde/ewallet_2025072914500471_tde_backup.p12 ASM disk group ------------------------- DATA ASM check ------------------------- orcl is using ASM disk group DATA