Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Fortanix: Oracle TDE Deployment

            Created by Customer Support, Modified on Mon, 23 Feb at 8:44 AM by Customer Support

            Title 

            Deployment Guide – Fortanix: Oracle TDE   

            Product/System 

            Fortanix

            Company 

            Ask4key Sdn Bhd

            Version 

            1.0

            Date 

            23rd February 2026 

            Author 

            Ariff 

            Confidentiality 

            Internal Use Only 

             

            Version 

            Date 

            Description 

            Author 

            Reviewed By 

            Approved by 

             

            1.0 

            23/02/26 

            Initial version created 

             Ariff

             

             




             

             

             

             

            1    Introduction 

            This document relates to Fortanix deployment for Oracle Transparent Data Encryption (TDE). It includes the architecture and configuration steps. 

             

             

            1. 2    Architecture Diagram 

            1. 2.1    Fortanix Integration with Oracle 

             

            Figure 1: Oracle Architecture with Fortanix 

            • Fortanix Data Security Manager (DSM) 

            • Cloud service that enables you to securely generate, store, and use cryptographic keys. 

            • PKCS#11 

            • PKCS#11 is a library that provides a standard interface for cryptographic tokens such as hardware security modules (HSMs) 

            • Oracle wallet 

            • Encrypted file that contains application credentials (username and password) for connecting to third-party application (Fortanix) 

            • Oracle PDB (pluggable database) 

            • Portable collection of schemas, schema objects, and non-schema objects that appear to an Oracle Net client as a non-CDB (container database). 


            1. 2.2    Fortanix: Master Encryption Key (MEK) Key Wrapping 

             

            Figure 2: Key Wrapping for DEK 

            • Master Encryption Key (MEK) 

            • Key encryptions provided by Fortanix DSM are used to encrypt DEK 

            • Data Encryption Key (DEK) 

            • Key encryptions provided by Oracle to encrypt data in Oracle 


            1. 2.3    Oracle: Column Encryption 

              

            Figure 3: Oracle - Column Encryption 

            Column encryption – encrypts specific columns in a table rather than encrypting the entire tablespace. 

             

            1. 2.4    Oracle: Tablespace Encryption 

              

            Figure 4: Oracle - Tablespace Encryption 

            Tablespace encryption - encrypts all data stored within a tablespace at rest  

             

            3    Integration Setup 

            1. 3.1    Fortanix: Application Creation 

            No. 

            Method 

            1.  1

            Login to Fortanix DSM portal 

            • - APAC region: https://apac.smartkey.io 

             

             

             

            1.  2

            1. Navigate to Groups tab and create a new group. 

             

             

             

            1. Set the title for the new group and click on save. 

             

             

             

            1.  3

            Navigate to Apps tab and create a new application. 

            1. Set the application name 

            1. Authentication method = API key 

            1. Assign the app to the respective group 

             

             

             

             

             

            1.  4

            Retrieving apps UUID and credentials. 

            1. Navigate to “Apps” and select the apps that you have created. 

            1. In “INFO” tab, click on "VIEW API KEY DETAILS" 

               

             

             

            1. To retrieve the Apps UUID and password, navigate to "USERNAME/PASSWORD" tab. 

             

             

             

             

            1. 3.2    Oracle: PKCS#11 Agent Installation 

            No. 

            Method 

            Installation with RPM Package 

            1.  1

            Create “em-agent.repo” in “/etc/yum.repos.d” with below input. 

             

            • nano /etc/yum.repos.d/em-agent.repo 

            [em-agent] 

            name=EM Agent  - $basearch 

            baseurl=https://download.fortanix.com/linux/yum/el7/x86_64 

            enabled=1 

            gpgkey=https://download.fortanix.com/linux/yum/fortanix.pub 

            gpgcheck=1 

             

             

            1.  2

            Run command to get the latest package from repo. 

             

            • sudo yum update 

            1.  3

            Install the package using the command below. 

             

            • sudo yum install fortanix-pkcs11 

            1.  4

            Locate the pkcs11.so file location and navigate to the directory. 

             

            • sudo find / -type f -name "*fortanix_pkcs11*" 

            • cd /opt/fortanix/pkcs11 

            1.  5

            Copy the “fortanix_pkcs11.so” to oracle location as followed. Change  

             

            • cp fortanix_pkcs11.so /opt/oracle/extapi/64/hsm/fortanix/<version>/libpkcs11.so 

            1.  6

            Change ownership and file permission for “/opt/oracle". 

             

            • sudo chown -R oracle:oinstall /opt/oracle 

            • sudo chmod -R 775 /opt/oracle 

            1.  7

            Creating pkcs11.conf file directory for Fortanix application 

             

            • sudo mkdir -p /etc/fortanix 

            • sudo chown -R oracle:oinstall /etc/fortanix 

            • sudo chmod -R 775 /etc/fortanix 

            1.  8

            Creating pkcs11.conf file for Fortanix application 

             

            api_endpoint = dsm portal (https://apac.smartkey.io) 

            app_id = apps uuid (retrieve in apps) 

            log filename = /etc/fortanix/pkcs11.log 

             

            • nano /etc/fortanix/pkcs11.conf 

            api_endpoint = “https:// <fortanix_dsm_url>” 

            app_id = “95XXX8-XXXX0-4442-XXXX5-XXXX9c” 

            prevent_duplicate_opaque_objects = true 

            retry_timeout_millis = 60000 

            [log] 

            file = “<log filename>” 

             

             

             

            1. 3.3    Wallet Creation 

            No. 

            Method 

            1.  1

            Ensure to connect to the session with “oracle” user. 

             

            • su - oracle 

            Identify the “$ORACLE_BASE” and “$ORACLE_SID”. 

             

            • echo $ORACLE_BASE 

            • echo $ORACLE_SID  

            1.  3

            Create wallet files with the directory below. Ensure the wallet owner is “oracle” user 

             

            • mkdir -p <$ORACLE_BASE>/admin/<$ORACLE_SID>/wallet/tde 

            1.  4

            Login to sqlplus as sysdba user 

             

            • sqlplus / as sysdba 

            1.  5

            Set the wallet directory. 

             

            • ALTER SYSTEM SET WALLET_ROOT="/opt/oracle/admin/ORCLCDB/wallet" scope=spfile; 

             

            For RAC database use command below: 

            • ALTER SYSTEM SET WALLET_ROOT="<$ORACLE_BASE>/admin/<$ORACLE_SID>/wallet" scope=spfile sid='*'; 

            1.  6

            Restart the DB to update the wallet configuration. 

             

            • shutdown immediate 

            • startup 

            1.  7

            Setting TDE configuration for wallet type 

             

            • ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both; 

             

            For RAC database use command below: 

            • ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both sid='*'; 

            1.  8

            Ensure all pdb are in open and write mode state. 

             

            • ALTER PLUGGABLE DATABASE ALL OPEN; 

            • show pdbs; 

             

             

             

            1. 3.4    Setting up Wallet Password 

            No. 

            Steps 

            1.  1

            Creating keystore. 

             

            • ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER = ALL; 

            1.  2

            Configuring TDE Master Key 

             

            • ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER = ALL; 

            In encounter issue in step 2. (ORA-46665) follow steps below. 

            Run the command in each PDBs. 

             

            • alter session set container=<PDB_NAME>; 

            • ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

             

            1. 3.5    Setting up Auto-Login Wallet (for version 19c and above) 

            Some versions in 19c have issue with auto-login wallet 

            No. 

            Method 

            1.  1

            Check encryption wallet status. 

             

            • select * from V$ENCRYPTION_WALLET; 

            1.  2

            If wallet status is open, ensure it is closed. 

            Ensure to connect to the CDS$ROOT session. 

             

            • ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER = ALL; 

            Change the keystore type to software wallet. 

             

            • ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE"; 

            1.  4

            Run command below to create software keystore. 

             

            • ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<$ORACLE_BASE>/admin/<$ORACLE_SID>/wallet/tde' IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

            1.  5

            Open the software keystore. 

             

            • ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER=ALL; 

            1.  6

            Add DSM App password as secret in the software wallet 

             

            • ADMINISTER KEY MANAGEMENT ADD SECRET '<DSM_APP_PASSWORD>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<DSM_APP_PASSWORD>" WITH BACKUP; 

            1.  7

            Close the software keystore. 

             

            • ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

            1.  8

            Creating Auto-Login keystore 

             

            • ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<$ORACLE_BASE>/admin/<$ORACLE_SID>/wallet/tde' IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

            1.  9

            To set wallet location to HSM backend by auto-login 

             

            • ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE"; 

             

            For RAC database use command below: 

            • ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" sid='*'; 

            1.  10

            Restart the DB to verify the auto-login. 

             

            • shutdown immediate 

            • startup 

            1.  11

            Verify Auto-login wallet. 

             

            • Select * from v$encryption_wallet; 

             

            1.  12

            In case of RAC, transfer “ewallet.p12” and “cwallet.sso” to all nodes of RAC at ($ORACLE_BASE/admin/$ORACLE_SID/wallet/tde) 

             

             

            1. 3.6    Oracle: Rotate Master Key 

            1. 3.6.1    Without Using Auto-Login Wallet 

            No. 

            Method 

            Using Container Database 

            1.  

            ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER = ALL; 

            Using non-container Database 

            1.  

            ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

             

            1. 3.6.2    Using Auto-Login  

            No 

            Method 

            Using Container Database 

            1.  

            ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<DSM_APP_PASSWORD>" CONTAINER = ALL; 

            Using Non-Container Database 

            1.  

            ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<DSM_APP_PASSWORD>"; 

             


            1. 4    Applying Encryption 

            1. 4.1    Column Encryption 

            No. 

            Method 

            1.  1

            Creating table with selective encrypted column 

            (salary column only) 

            • CREATE TABLE employee (first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER, salary NUMBER(6) ENCRYPT); 

            1.  2

            Updating column in table to be encrypt 

            (update empID to encrypt) 

            • ALTER TABLE employee MODIFY (empID ENCRYPT USING ‘AES256’); 

            1.  3

            Verify list of encrypted columns 

             

            • select * from dba_encrypted_columns; 

            1.  4

            Re-Encrypt using different encryption algorithm. 

             

            • ALTER TABLE employee MODIFY (empID DECRYPT); 

            • ALTER TABLE employee MODIFY (empID ENCRYPT USING ‘AES256’; 

             

            1. 4.2    Tablespace Encryption 

            No. 

            Method 

            1.  1

            Checking compatible. Only for 11.2.0.0 or higher 

             

            • SHOW PARAMETER COMPATIBLE; 

            1.  2

            If version compatible is lower run the following command 

             

            • ALTER SYSTEM SET COMPATIBLE=’11.2.0.0’ scope=spfile; 

            • shutdown immediate 

            • startup 

            1.  3

            Verifying DATAFILE. 

             

            • SELECT file_name FROM dba_data_files; 

             

            1.  4

            Create encrypted tablespace with encrypted default storage 

             

            • CREATE TABLESPACE encrypted_ts 

            • DATAFILE '<PATH_TO_DATAFILE>/encrypted_ts01.dbf' SIZE 128K 

            • AUTOEXTEND ON NEXT 64K 

            • ENCRYPTION USING 'AES256' 

            • DEFAULT STORAGE(ENCRYPT); 

             



            1. 5    Appendix & Reference 

            1. 5.1    Glossary 

            Term 

            Meaning 

            CDB 

            Container Database 

            DEK 

            Data Encryption Key 

            DSM 

            Data Security Manager 

            HSM 

            Hardware Security Module 

            MEK 

            Master Encryption Key 

            PDB 

            Pluggable Database 

            TDE 

            Transparent Database Encryption 


            1. 5.2    Tools & Resources 

            • Fortanix Admin Portal: https://apac.smartkey.io/ 

             

             

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0