-
Notifications
You must be signed in to change notification settings - Fork 1
/
isenc_tde.sql
86 lines (73 loc) · 3.12 KB
/
isenc_tde.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
--------------------------------------------------------------------------------
-- OraDBA - Oracle Database Infrastructur and Security, 5630 Muri, Switzerland
--------------------------------------------------------------------------------
-- Name......: isenc_tde.sql
-- Author....: Stefan Oehrli (oes) [email protected]
-- Editor....: Stefan Oehrli
-- Date......: 2023.08.29
-- Revision..:
-- Purpose...: Initialize TDE for a single tenant or container database. This
-- scripts does use several other scripts to enable TDE and it
-- also includes restart of the database.
--
-- The following steps are performed:
-- - idenc_wroot.sql set init.ora parameter for TDE
-- - restart database
-- - csenc_swkeystore.sql create and configure software keystore
-- - csenc_master.sql create master encryption key
-- - restart database
-- - ssenc_info.sql show current TDE configuration
-- Notes.....:
-- Reference.: Requires SYS, SYSDBA or SYSKM privilege
-- License...: Apache License Version 2.0, January 2004 as shown
-- at http://www.apache.org/licenses/
--------------------------------------------------------------------------------
SET FEEDBACK OFF
SET VERIFY OFF
-- define default values for wallet password
COLUMN def_wallet_pwd NEW_VALUE def_wallet_pwd NOPRINT
-- generate random password
SELECT dbms_random.string('X', 20) def_wallet_pwd FROM dual;
-- assign default value for parameter if argument 1 is empty
COLUMN 1 NEW_VALUE 1 NOPRINT
SELECT '' "1" FROM dual WHERE ROWNUM = 0;
DEFINE wallet_pwd = &1 &def_wallet_pwd
COLUMN wallet_pwd NEW_VALUE wallet_pwd NOPRINT
-- define default values for wallet password
COLUMN def_wallet_root_base NEW_VALUE def_wallet_root_base NOPRINT
-- get the wallet root directory from audit_file_dest
SELECT
substr(value, 1, instr(value, '/', - 1, 1) - 1) def_wallet_root_base
FROM
v$parameter
WHERE
name = 'audit_file_dest';
-- assign default value for parameter if argument 2 is empty
COLUMN 2 NEW_VALUE 2 NOPRINT
SELECT '' "2" FROM dual WHERE ROWNUM = 0;
DEFINE wallet_root_base = &2 &def_wallet_root_base
COLUMN wallet_root_base NEW_VALUE wallet_root_base NOPRINT
-- format SQLPlus output and behavior
SET LINESIZE 180 PAGESIZE 66
SET HEADING ON
SET VERIFY ON
SET FEEDBACK ON
-- start to spool
SPOOL isenc_tde.log
-- configure WALLET_ROOT parameter
@idenc_wroot.sql &wallet_root_base
PROMPT == Restart database to enable WALLET_ROOT ===============================
STARTUP FORCE;
-- configure software keystore for database / cdb
@csenc_swkeystore.sql &wallet_pwd
-- uncomment the following line if you have issues with pre-created master
-- encryption keys. e.g., because TDE wallets have been recreated
--@idenc_lostkey.sql
-- configure master encryption key
@csenc_master.sql
PROMPT == Restart database to load software keystore with new master key =======
STARTUP FORCE;
-- display information
@ssenc_info.sql
SPOOL OFF
-- EOF -------------------------------------------------------------------------