Skip to Main Content

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Jim.

Asked: August 08, 2017 - 12:58 pm UTC

Last updated: August 16, 2017 - 11:59 am UTC

Version: 12.1

Viewed 10K+ times! This question is

You Asked

How does the TDE local auto-login key identify the machine that it has been created on?
If I create it on a vm with a system name (of the vm) of my_test_ora01, does TDE use the system name? the ip address assigned to the system? or the vm host system?
The context of the question is that we want to set up a disaster recovery site. If I use a local auto-login key for TDE on my main system, do I need a non-local auto-login key as well so that I can recover the system on the backup site on a different vm? Or do I have to create a new auto-login key as part of the recovery process?
Thanks, the documentation says that the local auto-login key "know" what machine it is running on. This glosses over the details and doesn't address disaster recovery issues.
Thanks,

and Connor said...

From the docs:

"

How are Oracle wallets containing TDE master keys protected?

There are three different types of wallets to consider when you use an Oracle wallet as the keystore for TDE master keys: password-based wallet, auto-login wallet, and local auto-login wallet. All of these wallets externalize TDE master keys, so they are separate from TDE-encrypted data. Oracle recommends that you place wallet files in local or network directories that are protected by tight file permissions and other security measures.

The password-based wallet is an encrypted key storage file (ewallet.p12) that follows the PKCS #12 standard. It is encrypted by a password-derived key according to the PKCS #5 standard. A human user must enter a command containing the password for the database to open the wallet, decrypt its contents, and gain access to keys. The password-based wallet is the default keystore for TDE master keys. In the past, it was encrypted using the 3DES168 encryption algorithm and CBC operating mode. The orapki command convert wallet enables you to convert password-based wallets to AES256 and CBC operating mode. Oracle Database Security Guide provides details about using orapki to convert wallets.

Auto-login wallets (cwallet.sso) optionally are derived from standard password-based wallets for special cases where automatic startup of the database is required with no human interaction to enter a wallet password. When using auto-login wallet, the master password-based wallet must be preserved because it is needed to rotate the TDE master key. In addition to the best practice of storing auto-login wallet in a local or network directory that is protected by tight file permissions, the file contents are scrambled by the database using a proprietary method for added security. A slight variation on the auto-login wallet called local auto-login wallet has similar behavior. One notable difference with local auto-login wallet is that its contents are scrambled using additional factors taken from the host machine where the file was created. This renders the local auto-login wallet unusable on other host machines. Details of the host factors and scrambling technique are proprietary.
"

So that last line is significant here - it's not public, and also gives us the right to change it at our whim. So even if it was known or derivable, you'd be running a risk if you opted to take advantage of that fact.

Here's a recent whitepaper discussing TDE and DataGuard can be found here

http://www.oracle.com/technetwork/database/availability/tde-conversion-dg-3045460.pdf

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

reply from original question

Jim Berg, August 14, 2017 - 1:52 pm UTC

Thanks, I was hoping for more information about how the local key was generated, but you answered my question. I need to keep an auto-login key file in case I need to move my server to another machine. And I'll need to keep that key off of my server so that it cannot be hacked with the rest of the database files.
Connor McDonald
August 16, 2017 - 11:59 am UTC

"I was hoping for more information about how the local key was generated"

Yup - that why I said:

"Details of the host factors and scrambling technique are proprietary."

which is a phrase equivalent to:

"I don't know and the people that DO know probably wont tell me" :-)

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database