Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Johan.

Asked: November 04, 2022 - 6:22 am UTC

Last updated: November 09, 2022 - 2:42 am UTC

Version: Oracle 19c

Viewed 100+ times

You Asked

Good morning Tom

TDE and generating a new Master Key - what happens in the background

I have seen an answer where you are explaining that issuing a new Master Key does not have an impact on the table (or data) being encrypted as such. I understand that.

In my understanding there are 2 keys involved - Table Key and the Master Key. The Table Key is actually used for encryption of the tables and not the Master Key. The Master Key is used to encrypt the Table Key and this encrypted Table Key is then stored in the Oracle data dictionary.

So when one ReKey (set a new Master Key), in my understanding what happens is that the encrypted Table Key must first be decrypted with the existing Master Key, after which this decrypted "open" Table Key is encrypted with the newly generated Master Key.

For example:
Current Master Key(CMK) : w5du8xs
Table Key (TK) : tktktktk (actually a random string)
Encrypting TK with MK : w5du8xs (enc) tktktktk -> a8j4n3gh which is stored in Oracle data dictionary

So when generating a new Master Key (nMK), Oracle must first decrypt a8j4n3gh with the CMK (w5du8xs) to get the TK of tktktktk, after which the new Master Key (nMK) of for example zxcvbn275 is used to encrypt the Table Key and this new encrypted value gets stored again.

So IF above mentioned understanding is correct, does that mean that one will not be able to generate a new Master Key if for some "funny" reason (it will not be funny!), the wallet has been damaged and Oracle cannot get hold of the current Master Key? Or also stated otherwise, to generate a new Master key, there must be an existing activated Master Key.

Thanks for allowing me the opportunity to ask.


and Connor said...

That is my understanding of the process. As per MOS 445147.1

"In order to encrypt..., Oracle uses a table encryption key which is unique for each table of the database. All the table encryption keys are encrypted using a master key and stored within the data dictionary. "

and similarly in the docs https://docs.oracle.com/database/121/ASOAG/introduction-to-transparent-data-encryption.htm#ASOAG10139

"When a table contains encrypted columns, TDE uses a single TDE table key regardless of the number of encrypted columns. Each TDE table key is individually encrypted with the TDE master encryption key. All of the TDE table keys are located together in the colklc column of the ENC$ data dictionary table. No keys are stored in plaintext."


If the wallet has been "damaged" then pretty much all bets are off. We store a history of master keys, because you might need to decrypt data that was encrypted under a previous key, but also as per the docs: "You must make a backup of the keystore for all of the critical keystore operations"

Bottom line - don't lose or mess up your wallet

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database