1. Database Reference
  2. Initialization Parameters
  3. Initialization Parameters
  4. TDE_CONFIGURATION

1.334 TDE_CONFIGURATION

TDE_CONFIGURATION is used for per-PDB configuration for Transparent Data Encryption (TDE). Before Oracle Database 18c, each PDB stored their separate encryption keys in the CDB’s keystore (united mode). Starting with Oracle Database 18c, a PDB can optionally store its encryption keys in a separate keystore (isolation mode), thus allowing protection by a separate keystore password. The WALLET_ROOT initialization parameter must be set for TDE_CONFIGURATION to take effect.

Property Description

Parameter type

String

Syntax

TDE_CONFIGURATION = “{ KEYSTORE_CONFIGURATION = value [; CONTAINER = pdb-name] }”

Syntax

value ::=

{

FILE |

OKV |

HSM |

FILE|OKV |

FILE|HSM |

OKV|FILE |

HSM|FILE

}

Default value

None

Modifiable

ALTER SYSTEMFoot 1

Modifiable in a PDB

Yes

Basic

No

Oracle RAC

The same value must be specified on all instances using the ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=value" SCOPE=BOTH SID='*'; statement.

Footnote 1

In some cases when this parameter is set using ALTER SYSTEM SCOPE=SPFILE, the SHOW PARAMETER TDE_CONFIGURATION statement does not show the correct value. However, the value set for TDE_CONFIGURATION can be derived from information shown in the V$ENCRYPTION_WALLET view.

The following attributes can be specified:

  • KEYSTORE_CONFIGURATION attribute. This attribute is required. The value specified with this attribute configures the keystore type for the specified PDB. The following values can be specified for this attribute:

    • FILE: This value configures a wallet keystore.

    • OKV: This value configures an Oracle Key Vault (OKV) keystore.

    • HSM: This value configures a Hardware Security Module (HSM) keystore.

    • FILE|OKV: This value configures a reverse migration from an OKV to a wallet keystore.

    • FILE|HSM: This value configures a reverse migration from a HSM to a wallet keystore.

    • OKV|FILE: This value configures a migration from a wallet to an OKV keystore.

    • HSM|FILE: This value configures a migration from a wallet to a HSM keystore.

    Some of the KEYSTORE_CONFIGURATION attribute values consist of a single word, for example, the FILE, OKV, and HSM values. The other KEYSTORE_CONFIGURATION attribute values consist of two words separated by the “|” character that is a required part of the value’s syntax, for example, the FILE|OKV, FILE|HSM, OKV|FILE, and HSM|FILE values.

    In Oracle Database releases prior to Oracle Database 18.1, keystore types were configured in sqlnet.ora using the METHOD attribute of the SQLNET.ENCRYPTION_WALLET_LOCATION parameter.

  • CONTAINER attribute: This optional attribute can be used only when setting the parameter in the CDB$ROOT of a CDB. The CONTAINER attribute can be specified only when the CDB$ROOT is in MOUNTED state. With this attribute, you must specify the name of the PDB for which you are setting the parameter. When you specify the CONTAINER attribute, you must use a semicolon “;” as the separation character between the KEYSTORE_CONFIGURATION and CONTAINER attributes.

Examples

The following statement configures a wallet keystore for the open PDB from which the statement is issued:

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH SID='*';

The following statement configures an OKV keystore for the PDB in MOUNTED state from which the statement is issued: 

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=OKV" SCOPE=SPFILE SID='*';

The following statement configures a HSM keystore for the ORCLPDB PDB. For this statement to succeed, the parameter must be set in the CDB$ROOT of a CDB when the CDB$ROOT is in MOUNTED state: 

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM; CONTAINER=ORCLPDB" SCOPE=MEMORY SID='*';

See Also: