环境:19c
cdb2
pdb1
现在实现 PDB下的新加表空间自动加密
1.检查加密钱夹的位置
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------------------------ ------------------------------ -------------------- ----------------
/u01/app/oracle/admin/cdb2/wallet NOT_AVAILABLE UNKNOWN NONE
2.建立钱夹目录
$ mkdir -p /u01/app/oracle/admin/cdb2/wallet
3.修改参数 wallet_root
SYS@cdb2> alter system set wallet_root='/u01/app/oracle/admin/cdb2/wallet' scope=spfile;
SYS@cdb2> startup force;
4.修改参数 tde_configuration
SYS@cdb2> alter system set tde_configuration='keystore_configuration=file';
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
/u01/app/oracle/admin/cdb2/wal NOT_AVAILABLE UNKNOWN NONE
let/tde/
NOT_AVAILABLE UNKNOWN UNITED
NOT_AVAILABLE UNKNOWN UNITED
NOT_AVAILABLE UNKNOWN UNITED
5.创建钱夹
SYS@cdb2> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY welcome;
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
/u01/app/oracle/admin/cdb2/wal CLOSED UNKNOWN NONE
let/tde/
CLOSED UNKNOWN UNITED
CLOSED UNKNOWN UNITED
CLOSED UNKNOWN UNITED
6.设置钱夹自动打开
SYS@cdb2> administer key management create auto_login keystore from keystore identified by welcome;
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
/u01/app/oracle/admin/cdb2/wal OPEN_NO_MASTER_KEY AUTOLOGIN NONE
let/tde/
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
7.设置CDB的TDE主加密密钥
SYS@cdb2> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY welcome WITH BACKUP USING 'emp_key_backup';
使用 force keystore ,在KEYSTORE没有打开时,自动打开。
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
/u01/app/oracle/admin/cdb2/wal OPEN AUTOLOGIN NONE
let/tde/
OPEN AUTOLOGIN UNITED
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
现在看到STATUS为 OPEN
8.pdb中创建加密密钥
SYS@cdb2> alter session set container=pdb1;
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
OPEN_NO_MASTER_KEY AUTOLOGIN UNITED
状态,打开钱夹但没有设置MASTER KEY
SYS@cdb2> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY welcome WITH BACKUP USING 'emp_key_backup';
SYS@cdb2> select WRL_PARAMETER,STATUS,WALLET_TYPE,KEYSTORE_MODE from v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE KEYSTORE
------------------------------ ------------------------------ -------------------- --------
OPEN AUTOLOGIN UNITED
带MASTER KEY 打开
9.新建立表空间,自动加密
SYS@cdb2> show parameter encr
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces string CLOUD_ONLY
SYS@cdb2 > alter system set encrypt_new_tablespaces=always;
10.新建立表空间
--加密表空间
SYS@pdbprod2> Create tablespace enct_data datafile '/u01/app/oracle/oradata/cdb2/pdb1/ENCT_DATA01.dbf' size 10m ;
11.验证加密
SYS@cdb2> select tablespace_name,ENCRYPTED from dba_tablespaces where tablespace_name='ENCT_DATA';
TABLESPACE_NAME ENC
------------------------------ ---
ENCT_DATA YES
到此,自动加密表空间建立完成,后面重启数据库,带MASTER KEY 的钱夹会自动打开,不需要单独手工打开。
|
|手机版|小黑屋|重庆思庄Oracle、Redhat认证学习论坛
( 渝ICP备12004239号-4 )
发表于 2023-8-29 02:33:11
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
支持
反对