Friday, 30 January 2026

Steps to fix a lost Transparent Data Encryption (TDE) wallet password in an OCI Base Database Service system



 Steps to fix a lost Transparent Data Encryption (TDE) wallet password in an OCI Base Database Service system


Note : Ideally the TDE wallet password is the same as SYS password when you first provision the DB system.


To fix a lost Transparent Data Encryption (TDE) wallet password in an OCI Base Database Service system, Please use the OCI Console to update the password directly

Steps to Fix Lost TDE Wallet Password

----------------------------------------

The option is provided to change the TDE password, when you already know the existing password

Using OCI Console (Recommended)

Go to the Oracle Cloud Infrastructure (OCI) Console.

Navigate to the DB system and select the specific database.

Select Manage passwords from the Actions menu.

Select Update TDE wallet password.

Enter a new password. 


Plan b

If you do not have the old TDE wallet password and auto-login wallet is available

you need to verify existing password and merge the existing keystore into newly created empty wallet

Recovery Steps (if auto-login wallet is available)


Please follow these steps

1) Determine the TDE wallet location on the source

- Login to the source DB host as oracle.

- Find the wallet directory from sqlnet.ora:

  cat $ORACLE_HOME/network/admin/sqlnet.ora | grep ENCRYPTION_WALLET_LOCATION

- On OCI DB Systems the wallet is typically under:

 /opt/oracle/dcs/commonstore/wallets/tde/$ORACLE_UNQNAME

- If needed, get db_unique_name:

sqlplus "/ as sysdba"

show parameter db_unique_name


2) Verify candidate passwords against the wallet

 

- Using orapki (prompts for the wallet password):

orapki wallet display -wallet /opt/oracle/dcs/commonstore/wallets/tde/$ORACLE_UNQNAME/ewallet.p12 -summary

- Or using mkstore (also prompts for the password):

mkstore -wrl /opt/oracle/dcs/commonstore/wallets/tde/$ORACLE_UNQNAME -list

- If the password is correct, the wallet contents (master key info) will display. If incorrect, you will get a PKI/“incorrect password” error


3) Merge the existing keystore into newly created empty wallet

>>Create a backup of your current wallet

>> SELECT wrl_type, wrl_parameter, status, wallet_type FROM V$ENCRYPTION_WALLET;

As AUTOLOGIN is Yes, you can merge the wallet, please follow these steps.

a. Create a new empty wallet at some other location than the original wallet.

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<New location for wallet>' IDENTIFIED BY <any wallet password>;

b. Merge the existing keystore into newly created empty wallet. Here for the first Keystore there is no need to specify the password as it's Auto-Login.

SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '<Original Keystore location>' INTO EXISTING KEYSTORE '<Newly created wallet location>' IDENTIFIED BY <Newly created wallet password> WITH BACKUP;

c. Create an Auto-Login wallet for this Merged Keystore.

NOTE: Here the location of the Merged wallet needs to be specified i.e. the location of newly created wallet

SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<Newly created wallet location>' IDENTIFIED BY <Newly created wallet password>;

d. At this point test this newly Merged wallet by modifying the wallet location in sqlnet.ora file to point to this new wallet.

$ cat <Directory>/sqlnet.ora

ENCRYPTION_WALLET_LOCATION=

(SOURCE = (METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = <Merged Wallet location>))) ------ Pointing to newly Merged wallet

SQL> select * from v$encryption_wallet;

e. If the wallet is open and the database is accessible, Copy the wallet files to the default location (after taking a backup of it) and correct the path in sqlnet.ora file.


Reference: Quick TDE Setup and FAQ (Doc ID 1251597.1)

TDE Recovery Scenarios (Doc ID 3011213.1) >> It describes all the different scenarios

Primary Note For Transparent Data Encryption ( TDE ) (Doc ID 1228046.1) 

https://docs.oracle.com/en/database/oracle/oracle-database/21/asoag/managing-keystore-and-tde-master-encryption-key.html


If No Auto-Login Wallet Exists

-------------------------------

If no auto-login wallet file (cwallet.sso) is available for the old wallet, and the password for the ewallet.p12 file is lost/damaged, the encrypted data cannot be accessed, it may not be possible to open the wallet. 

In this scenario, you must restore the ewallet.p12 file from a previous backup to a time when the password was known. 

if the wallet merge steps fail, creating a new OCI Database System (DB System) from an automatic backup is the primary recovery path, provided automatic backups are enabled and the wallet is in AUTOLOGIN status. 

Create a DB System from a Backup

https://docs.oracle.com/en/cloud/paas/base-database/create-dbs-from-backup/index.html#articletitle


Regards

thanks you


on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)