If you are running a POC with OKV or planning to decommission an OKV environment, this blog provides a reliable way to return to a standard local wallet configuration without affecting encrypted data.
1. Identify the Wallet Location Used by the Database
SELECT con_id, wrl_parameter FROM v$encryption_wallet WHERE wrl_parameter IS NOT NULL;2. Verify if the Wallet Directory Exists
ls -l /u01/app/oracle/admin/ORCL/wallet/tde/3. If the wallet directory doesn't exist, create a new local keystore.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<wallet_password>";4. Update the tde_configuration parameter to use 'FILE|OKV' value:
ALTER SYSTEM SET tde_configuration = "KEYSTORE_CONFIGURATION=FILE|OKV" SCOPE=BOTH;5. Now perform the reverse migration. This step moves the TDE encryption keys from Oracle Key Vault back to the local wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<LOCAL_wallet_password>" FORCE KEYSTORE REVERSE MIGRATE USING "<OKV_wallet_password>" WITH BACKUP;
- LOCAL_wallet_password – Password for the local wallet.
- OKV_wallet_password – Password used for the Oracle Key Vault wallet.
- WITH BACKUP – Creates a backup before the migration for safety.
6. Once the keys have been migrated successfully, the database no longer needs to reference Oracle Key Vault. Update the configuration to use only the local file wallet.
ALTER SYSTEM SET tde_configuration = "KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH;7. This is optional. To simplify wallet management, you can configure the wallet with AUTO_LOGIN so the database opens it automatically during startup.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/admin/ORCL/wallet/tde' IDENTIFIED BY "<wallet_password>";8. After creating the auto-login wallet, close the password-based wallet. The database should automatically switch to the auto-login wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
IDENTIFIED BY "wallet_password"
CONTAINER=ALL;9. Finally, confirm that the wallet is open and running in auto-login mode.
SELECT con_id, status, wallet_type FROM v$encryption_wallet;Always make sure to create backups before performing any key migration steps to ensure recoverability in case something goes wrong.
Comments
Post a Comment