How is the TDE wallet protected?
On Unix, access to the wallet should be limited to the ‘oracle:oinstall’ user:group, using proper directory (700) and file permissions (600). Even though the ‘root’ user has access to the wallet file, if she does not know the wallet password, she has no access to the master encryption key. For all platforms, the password (that encrypts the wallet) should contain a minimum of 8 alphanumeric characters. Wallet passwords can be changed using Oracle Wallet Manager, or the ‘orapki’ utility. It is highly recommended to make a backup of the Oracle Wallet before changing the wallet password. Changing the wallet password does not change the TDE master key (they are independent). Starting with Oracle Database 11g Release 2 (11.2.0.2) on Linux, it is recommended to store the Oracle Wallet in ACFS, a cluster file system on top of ASM (applies to single instance, RAC one node, multi-node RAC, but not Exadata X2), as it’s new Security features provide excellent wallet protection and separation of du
Related Questions
- How do I prevent the Oracle TDE wallet from being backed up on the same tape as the RMAN database backups when using Oracle Secure Backup?
- How do I use both TDE column encryption with hardware keys and TDE tablespace encryption with software wallet keys at the same time?
- Can I use Oracle Wallet Manager (OWM) to create the encryption wallet and master key for TDE?
