Skip to Main Content
  • Questions
  • TDE and application container complicating upgrade from 18c XE to 21c XE


Question and Answer

Connor McDonald

Thanks for the question, Tim.

Asked: January 10, 2022 - 9:57 am UTC

Last updated: January 31, 2022 - 1:52 am UTC

Version: 18c -> 21c

Viewed 1000+ times

You Asked


I have an 18c XE database in which I experimented with TDE for a tablespace. That tablespace is no longer present in the database and I'd like the system to forget that I ever tried it out.

I migrated the data from the encrypted tablespace to an unencrypted tablespace and dropped the encrypted tablespace.
I subsequently created an application container database ("app") from the PDB in which I carried out the experiment and created an application database ("live") for that.

I then got the application working (new software, migrated data from 11g XE, ...) and wish to now migrate this to 21c XE on the same RedHat 7 system so that I can have a "play" version of the application based on the same application container as a sibling of the "real" one.

However, if I try to unplug the PDBs, it complains about not having exported the keystore:
alter pluggable database "live" unplug into ..

gives: "ORA-46680: master keys of the container database must be exported".


gives: "ORA-28417: password-based keystore is not open"
administer key management set keystore open identified by "password" container = all

gives "ORA-28354: Encryption wallet, auto login wallet, or HSM is already open"

I tried expdp/impdp and I think that didn't quite work with the application container as it gave all sorts of errors and very little of the application and not the schema which holds the data.

Any suggestions on how (best?) to migrate this to 21c XE?
I think if I can just tell 18c to forget about the encryption I can then unplug/... as per the documentation.


and Connor said...

I spoke to Peter Wahl, our TDE product manager, and to quote him

"once you setup a database with TDE, it's really hard to make it forget again"

So I suspect your best bet will be use datapump. Typically with app containers you start at the "top" of the container hierarchy, data pump from there, and work your way through the child containers.

If you have dramas, post your output etc via a review.


  (1 rating)


Thanks for checking

Tim Scott, January 28, 2022 - 9:09 am UTC

My original work around attempt was by expdp/impdp using the application containers and it made a complete mess of it.
I realised I still had access to the pre-application container (the one I had cloned) and thus did an expdp/impdp and re-converted to an application pair from that in 21c.
I have not yet had to tell 21c about the encryption keys ;-).

It's good to know, however, that I didn't miss a simple step which could have saved me time.
Connor McDonald
January 31, 2022 - 1:52 am UTC

Thanks for getting back to us.

When it comes to encryption etc its always going to hard to get rid of, because of course, thats what a hacker would want to do as well

More to Explore


Need more information on Administration? Check out the Administrators guide for the Oracle Database