Skip to Main Content
  • Questions

  • Reset of the master encryption key of the database.

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, DBA.

Asked: April 28, 2020 - 8:08 am UTC

Last updated: July 18, 2023 - 3:56 am UTC

Version: 18.8.1.0.0

Viewed 10K+ times! This question is

You Asked

Database(non-CDB) version - 18.8.1.0.0
TDE is enabled, Wallet_location is in ASM, software keystore is configured and auto-login is created. Only tablespace encryption is enabled at the moment.
Backup of the encryption keys (ewallet.p12 & cwallet.sso) is taken on another filesystem which have a regular backup.
For reset of the master encryption key of the database, following command is used
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY "xxxxxxxxxxxxxxxxxxxxx" SET "yyyyyyyyyyyyyyyyyyyyy" WITH BACKUP USING 'NEWKEY_REF';
The command is executed successfully, but the new key is not visible in V$ENCRYPTION_KEYS or in V$DATABASE_KEY_INFO. The activation_time of the key is same as the creation_time of the existing key. There is also no change in the activation_time.
Did a small test by misplacing the wallet and then restoring the old key from the backup. The database is opened with the old keys instead of the new keys.
Want to understand (probably with test cases) how the reset of the master encryption key works as we want to rotate the master encryption key regularly (also need to test database refresh and restore with change in master keys).

and Connor said...

I spoke to Russ Lowenthal, our security PM (you should attend their Office Hours sessions)

The command

ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY "xxxxxxxxxxxxxxxxxxxxx" SET "yyyyyyyyyyyyyyyyyyyyy" WITH BACKUP USING 'NEWKEY_REF';

is used to change the password of the wallet, not to generate and use a new encryption key.

The correct command to rotate a key is:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <wallet password>;

the optional "WITH BACKUP USING <file name of the backup to create>" is a good practice, but not required. With that additional phrase you'd get:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <wallet password> WITH BACKUP USING <file name of the backup to create>;

the important part is the "set key" phrase - this is what generates a new master key.

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

DBA

Mehmood, September 07, 2022 - 4:19 am UTC


SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY NewKey321 with backup;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <Newkey> with backup
*
ERROR at line 1:
ORA-46627: keystore password mismatch

Connor McDonald
September 12, 2022 - 3:27 am UTC

Remember that "identified by ..." is the password to your wallet. Issuing "set key" is what generates a new key.




TDE Password

Marcelo, July 17, 2023 - 4:09 pm UTC

Hi Team,

Currently I ahve a DB which its TDE password is lost. therefore all backups are unusable.

The previous post, in order to create a new TDE password
are valid when your TDE Password is lost??

I would like to create a new TDE password in order the new backups are usable.
Thanks,
Marcelo
Connor McDonald
July 18, 2023 - 3:56 am UTC

Do you mean the wallet password?
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database