Skip to Main Content
  • Questions

  • How to determine if TDE keys are compatible with Oracle version 23c?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Charles.

Asked: August 15, 2023 - 6:45 pm UTC

Last updated: August 25, 2023 - 4:45 am UTC

Version: 19.20

Viewed 1000+ times

You Asked

Good day!

I read that Oracle 23c is desupporting the older PKI TDE keys. After rekeying our TDE keys, how do we determine if they are compatible with Oracle 23c? Note we are running OSEE 19.20 on Solaris, and don't have a good way to test on Oracle 23c.

and Connor said...

Thanks to security PM Russ Lowenthal for this info

Early versions of TDE supported extracting the key from a certificate. This was only supported for column encryption and was rarely used. It is unlikely that you are using PKI keys, but if you are concerned, here is how you can check:
- PKI keys were only used with column-level encryption and are not compatible with tablespace encryption. If you are using tablespace encryption, then you can not be using PKI TDE keys. To check, query V$ENCRYPTED_TABLESPACES. If any rows are returned, then you can not be using PKI TDE keys because tablespace encryption doesn't work with PKI keys, and you can stop here. If no rows were returned, proceed to step two
- Query DBA_ENCRYPTED_COLUMNS. Are any rows returned? In almost all cases the answer will be no since we haven't recommended column encryption since Oracle 11.1. If there zero rows are returned are no encrypted columns, then you are almost certainly not using PKI TDE keys, but you should still run step three to make certain no one ever initialized the master key using PKI.

To verify that your database’s master encryption key was not initialized using PKI, run this query:

select cert_id from v$wallet where status='IN USE';

If there are zero rows returned, you are NOT using PKI encryption keys and you may proceed with the upgrade to 23c. If you have one or more rows returned, then you should rekey your database using:

administer key management set key identified by <keystore password> with backup;

After which you are clear to proceed with your upgrade.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thanks!

Charles, August 21, 2023 - 11:27 am UTC

Connor, thanks for passing along the detailed response from Russ Lowenthal, this is very helpful!
Connor McDonald
August 25, 2023 - 4:45 am UTC

glad we could help
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database