Sunday 26 January 2014

Set up the cryptographic keystore

Setting up cryptography for a 12c database.

There is a new method to configure and administer cryptography in 12c, using the ADMINISTER KEY MANAGEMENT group of commands.

Key management operations must be done either as SYSDBA or using the new SYSKM role.
In a CDB, a common user could be granted the SYSKM role for the purpose of administering cryptography for all the tenant databases.

The same encryption modes as earlier versions are available. 

Transparent encryption

Once the cryptographic key store (called wallet in 11g) is set up and encryption is CONFIGUREd in RMAN, the encryption/decryption is automatic during backup/restore operations.

Password encryption

Requires the user to provide a password – no encryption done or keystore set up needed.
This mode is used for transporting backups to sites where keys are not available.

Dual mode encryption

Uses either password encryption or transparent encryption, but TDE operation will require an open wallet.

Steps to set up cryptography
  1. Configure the key store location - a software keystore in a protected os folder.
  2. Set the sqlnet.ora ENCRYPTION_WALLET_LOCATION parameter to this folder.
  3. Connect to the database and create the wallet with ADMINISTER...CREATE KEY STORE.
  4. Open the keystore with ADMINISTER..SET KEYSTORE OPEN.
  5. Generate the cryptographic keys using ADMINISTER...CREATE KEY
  6. Optionally export it to the desired database. Activate the key with ADMINISTER...USE KEY.

Environment

Oracle Database 12c Enterprise Edition/Linux 2.6

Note:
There is one key store per database. Key stores are configured in sqlnet.ora.
The example uses a software key store. HSM,ASM disk groups are other possible locations.
Key management operations discussed here must be done as SYSKM or SYSDBA. SYSKM is a new key managment role in 12c. The screenshot below shows connection to a CDB as a common user named C##DBA with the SYSKM role.

 

Connecting as syskm

 

Step 1 - Configure key store location

Create an empty folder for key storage using OS commands, as shown:

mkdir -p /u01/app/oracle/oradata/keystore/CDB1
mkdir -p /u01/app/oracle/oradata/keystore/CDB2

Ensure that the TNS_ADMIN enviroment variable points to the location where you will locate sqlnet.ora in the next step, if it is set.

Step 2 - Configure sqlnet.ora

 Edit sqlnet.ora and configure the ENCRYPTION_WALLET_LOCATION parameter as shown.

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/u01/app/oracle/oradata/keystore/CDB1)))


To manage multiple key stores using a single sqlnet.ora, the Oracle recommendation is to set it as shown, note the trailing $ORACLE_SID below.

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/u01/app/oracle/oradata/keystore/$ORACLE_SID/)))

However this setting results in an eventual error during keystore operations, its a bug.


Step 3 - Create the key store from SqlPlus
 Create the key store using the new ADMINSTER KEY MANAGEMENT statement.
Note that this is a password based keystore requiring an explicit open operation.

ADMINISTER KEY MANAGEMENT
CREATE KEYSTORE 'keystore_location'
   IDENTIFIED BY software_keystore_password;

The ADMINISTER KEY MANAGEMENT commands require the user to provide a keystore password. The password supplied here will be stored and required for all keystore operations.



Step 4 - Open the keystore - explicit open needed for software key store

Opening the software keystore is required to enable TDE operations. The wallet needs to be open in  root container first, after which it may be opened/closed in the PDBs. Auto-login keystores are opened automatically when needed.


Step 5 - Generate keys for the cryptography

The ADMINISTER KEY MANAGEMENT commands are used for these key operations among others
  • Generation of cryptographic keys
  • Export/import of the keys into another database, and activated  for use, if required.
  • Generation, activation them and usage all in the same database. 
The statment below generates the keys, specifies atag 'cdb encryption key' to identify it, and
specifies the WITH BACKUP clause which is mandatory for password keystores.
The WITH BACKUP clause backs up the key in the same location as the keystore.

ADMINISTER KEY MANAGEMENT
  CREATE KEY USING TAG 'cdb encryption key'
    IDENTIFIED BY ORACLE 
     WITH BACKUP USING 'bkup_13jan14';

See screenshot below.

Step 6 - Key activation

Activate the keys using ADMINISTER KEY MANAGEMENT..USE KEY.
Activation requires the key identifier, which is available in V$ENCRYPTION_KEYS.

The statement below activates the key, which has been generated previously in the database, or after it has been imported. During a Data Guard standby set up, an import of the primary's cryptographic key would be required, if the primary used cryptography.  The WITH BACKUP is again required for password keystores.

ADMINISTER KEY MANAGEMENT
USE KEY 'AdSFDqXIjk9xv426PiJav30AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
   IDENTIFIED BY oracle  WITH BACKUP;

The screenshot below shows the key generation and activation.

Key generation and activation
This database is now set up for TDE operations.

Safeguarding the keys

The keystore should never be deleted. If deleted, the keys are lost and with it, the
ability to recover using an encrypted backup is lost.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)