SQL> select name from v$database;

NAME
---------
PRF8SPE

SQL> select name from v$datafile;

NAME
--------------------------------------------------------------------------------
+DATA/PRF8SPE/DATAFILE/system.257.1009023169
+DATA/PRF8SPE/DATAFILE/tbs_cfspe.1
+DATA/PRF8SPE/DATAFILE/sysaux.258.1009023209
+DATA/PRF8SPE/DATAFILE/undotbs1.259.1009023235
/u01/app/orcl/product/12.2.0/dbhome_1/dbs/tbs_cfspe
+DATA/PRF8SPE/DATAFILE/users.260.1009023235
+DATA/PRF8SPE/DATAFILE/tbs_cfqa

7 rows selected.

TABLESPACE ALLOC_MB USED_MB FREE_MB % Used %

Free
------------------------------ ---------- ---------- ---------- ----------
----------
TS_CFSPE 6144 2 6142 .03
99.97
USERS 5 1 4 20
80
TS_CFQA 14688 11039 3649 75.16
24.84
SYSTEM 960 901 59 93.85
6.15
SYSAUX 1590 1504 86 94.59
5.41
UNDOTBS1 390 383 7 98.21
1.79

6 rows selected.

DROP TABLESPACE TS_CFSPE INCLUDING CONTENTS AND DATAFILES;

DROP TABLESPACE TS_CFQA INCLUDING CONTENTS AND DATAFILES;

DROP USER CFXNGSPE CASCADE;

DROP USER CFDEPSPE CASCADE;
DROP USER CFSPE CASCADE;
DROP USER CFECSPE CASCADE;
DROP USER CFORGSPE CASCADE;
DROP USER CFAPPSPE CASCADE;
DROP USER CFCREGSPE CASCADE;

1. Set the ENCRYPTION_WALLET_LOCATION in $ORACLE_HOME/network/admin/sqlnet.ora

[orcl@vlmazspep8db01 backups]$ cd $ORACLE_HOME/network/admin

[orcl@vlmazspep8db01 admin]$ ls -ltr
total 12
-rw-r--r-- 1 orcl oinstall 1441 Aug 28 2015 shrept.lst
drwxr-xr-x 2 orcl oinstall 64 May 23 11:54 samples
-rw-r----- 1 orcl oinstall 451 May 23 12:15 tnsnames.ora
-rw-r--r-- 1 orcl oinstall 127 Jun 18 09:02 sqlnet.ora
[orcl@vlmazspep8db01 admin]$ cat sqlnet.ora

ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/orcl/admin/PRF8SPE/TDE)))
[orcl@vlmazspep8db01 admin]$ mkdir -p /u01/app/orcl/admin/PRF8SPE/TDE

2. Create the keystore (wallet):

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER
STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ------------------------------------------------------------
------------------------------ -------------------- --------- --------- ----------
FILE /u01/app/orcl/admin/PRF8SPE/TDE/
NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED 0

SQL> administer key management create keystore '/u01/app/orcl/admin/PRF8SPE/TDE'

identified by Passw0rd;

SQL> !ls -ltr /u01/app/orcl/admin/PRF8SPE/TDE

total 4
-rw------- 1 orcl asmadmin 2408 Jun 18 12:50 ewallet.p12

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER
STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ------------------------------------------------------------
------------------------------ -------------------- --------- --------- ----------
FILE /u01/app/orcl/admin/PRF8SPE/TDE/
CLOSED UNKNOWN SINGLE UNDEFINED 0

3. Open the keystore:

SQL> administer key management set keystore open identified by Passw0rd;

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER
STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ------------------------------------------------------------
------------------------------ -------------------- --------- --------- ----------
FILE /u01/app/orcl/admin/PRF8SPE/TDE/
OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0
4. Create the master key:Set the encyrption key :

SQL> SELECT con_id, key_id FROM v$encryption_keys;

no rows selected

SQL> administer key management create key identified by Passw0rd with backup;

keystore altered.

Now,check the v$encryption_keys view to check the keystore is enabled.WITH BACKUP

creates a backup of the software keystore.It also creates a backup of the keystore
before creating the new master encryption key.

SQL> SELECT con_id, key_id FROM v$encryption_keys;

CON_ID KEY_ID
----------
------------------------------------------------------------------------------
0 AQPpSXB7Yk9lv4rN8d/uEH0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

5. In order to create an encrypted table/tablespace the master key should be

activated:

SQL> administer key management use key

'AQPpSXB7Yk9lv4rN8d/uEH0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' identified by Passw0rd with
backup;

keystore altered.

SQL> select key_id,activation_time from v$encryption_keys;

KEY_ID
ACTIVATION_TIME
------------------------------------------------------------------------------
---------------------------------------------------------------------------
AQPpSXB7Yk9lv4rN8d/uEH0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 18-
JUN-19 06.03.51.156861 PM +00:00

Note: One can run the statement "administer key management set encryption key
identified by ... " instead of the commands from steps 4) and 5). This is going to
create and activate the encryption key at the same time
After the master key is activated the status of the wallet changes to "OPEN":

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER
STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ------------------------------------------------------------
------------------------------ -------------------- --------- --------- ----------
FILE /u01/app/orcl/admin/PRF8SPE/TDE/
OPEN PASSWORD SINGLE NO 0
The wallet type is password-based software keystore: As names suggests, this type
of keystore is protected by a password, and password is required to open the
keystore to retrieve the encryption keys.

6. TDE Implementation in Oracle 12c database :

SQL> CREATE TABLESPACE TS_APPSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING
'AES256' DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_ORGSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING
'AES256' DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_DEPSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING
'AES256' DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_ECSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_CFSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_XNGSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING
'AES256' DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> CREATE TABLESPACE TS_CREGSPE DATAFILE '+DATA' SIZE 20G ENCRYPTION USING
'AES256' DEFAULT STORAGE(ENCRYPT);

Tablespace created.

SQL> select name from v$datafile;

NAME
-----------------------------------------------------------------------------------
-----------------------------------------------------------
+DATA/PRF8SPE/DATAFILE/system.257.1009023169
+DATA/PRF8SPE/DATAFILE/ts_orgspe.267.1011273203
+DATA/PRF8SPE/DATAFILE/sysaux.258.1009023209
+DATA/PRF8SPE/DATAFILE/undotbs1.259.1009023235
+DATA/PRF8SPE/DATAFILE/ts_appspe.268.1011273167
+DATA/PRF8SPE/DATAFILE/users.260.1009023235
+DATA/PRF8SPE/DATAFILE/ts_depspe.269.1011273245
+DATA/PRF8SPE/DATAFILE/ts_ecspe.270.1011273283
+DATA/PRF8SPE/DATAFILE/ts_cfspe.271.1011273311
+DATA/PRF8SPE/DATAFILE/ts_xngspe.272.1011273347
+DATA/PRF8SPE/DATAFILE/ts_cregspe.273.1011273379
11 rows selected.

SQL> !pwd
/u01/app/orcl/product/12.2.0/dbhome_1/network/admin

SQL> !ls -ltr /u01/app/orcl/admin/PRF8SPE/TDE

total 12
-rw------- 1 orcl asmadmin 2408 Jun 18 12:56 ewallet_2019061817563201.p12
-rw------- 1 orcl asmadmin 3656 Jun 18 13:03 ewallet_2019061818035109.p12
-rw------- 1 orcl asmadmin 3848 Jun 18 13:03 ewallet.p12

SQL> startup force;

ORACLE instance started.

Total System Global Area 2.0267E+10 bytes

Fixed Size 19247976 bytes
Variable Size 3355446424 bytes
Database Buffers 1.6844E+10 bytes
Redo Buffers 47857664 bytes
Database mounted.
ORA-28365: wallet is not open

SQL> select open_mode from v$database;

OPEN_MODE
--------------------
MOUNTED

Reopen the keystore :Here the wallet_type is PASSWORD , i.e every time we restart
the database, we need to open the key/wallet separately.To overcome this, we can
enable auto login ,so that next time when db gets restart, it will open the wallet
automatically

SQL> administer key management set keystore open identified by Passw0rd;

keystore altered.

SQL> select open_mode from v$database;

OPEN_MODE
--------------------
MOUNTED

SQL> alter database open;

Database altered.

SQL> select open_mode from v$database;

OPEN_MODE
--------------------
READ WRITE

SQL> select tablespace_name,encrypted from dba_tablespaces;

TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
TS_CFSPE YES
TS_APPSPE YES
TS_ORGSPE YES
TS_DEPSPE YES
TS_ECSPE YES
TS_XNGSPE YES
TS_CREGSPE YES

12 rows selected.

Auto-login software keystore:

This kind of keystores are protected by system-generated password, and does not
need to opened explicitly because these keystores open automatically.

administer key management create auto_login keystore from keystore

'/u01/app/orcl/admin/PRF8SPE/TDE' identified by Passw0rd;

As soon as we execute above statement, we will see cwallet.sso file gets created
under keystore location directory. Once we have AUTOLOGIN keystore, there is no
need to open keystore for individual pluggable databases because auto-login
keystore would open automatically for all pluggable databases as well.

SQL> !ls -ltr /u01/app/orcl/admin/PRF8SPE/TDE

total 16
-rw------- 1 orcl asmadmin 2408 Jun 18 12:56 ewallet_2019061817563201.p12
-rw------- 1 orcl asmadmin 3656 Jun 18 13:03 ewallet_2019061818035109.p12
-rw------- 1 orcl asmadmin 3848 Jun 18 13:03 ewallet.p12
-rw------- 1 orcl asmadmin 3891 Jun 18 13:28 cwallet.sso

SQL> startup force;

ORACLE instance started.

Total System Global Area 2.0267E+10 bytes

Fixed Size 19247976 bytes
Variable Size 3355446424 bytes
Database Buffers 1.6844E+10 bytes
Redo Buffers 47857664 bytes
Database mounted.
Database opened.
SQL> select name from v$database;

NAME
---------
PRF8SPE

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_perf8spe_full06172019.log
schemas=CFXNGSPE,CFDEPSPE,CFSPE,CFECSPE,CFORGSPE,CFAPPSPE,CFCREGSPE
TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFXNGSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_XNGSPE schemas=CFXNGSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFCREGSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_CREGSPE schemas=CFCREGSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFAPPSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_APPSPE schemas=CFAPPSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_CFSPE schemas=CFSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFORGSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_ORGSPE schemas=CFORGSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFDEPSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_DEPSPE schemas=CFDEPSPE TABLE_EXISTS_ACTION=REPLACE &

nohup impdp \"/ as sysdba\" DIRECTORY=DATA_PUMP_DIR

dumpfile=expdp_perf8spe_full06132019.dmp logfile=impdp_CFECSPE.log
REMAP_TABLESPACE=TS_CFQA:TS_ECSPE schemas=CFECSPE TABLE_EXISTS_ACTION=REPLACE &

select a.table_name, a.tablespace_name from dba_tables a, dba_tablespaces b where

a.tablespace_name = b.tablespace_name and b.encrypted = 'YES';

select a.index_name, a.tablespace_name from dba_indexes a, dba_tablespaces b where

a.tablespace_name = b.tablespace_name and b.encrypted = 'YES' and index_name not
like 'SYS_IL%';

SELECT NAME, ENCRYPTIONALG ENCRYPTEDTS FROM V$ENCRYPTED_TABLESPACES, V$TABLESPACE

WHERE V$ENCRYPTED_TABLESPACES.TS# = V$TABLESPACE.TS#;

NAME ENCRYPT
------------------------------ -------
TS_APPSPE AES256
TS_ORGSPE AES256
TS_DEPSPE AES256
TS_ECSPE AES256
TS_CFSPE AES256
TS_XNGSPE AES256
TS_CREGSPE AES256

7 rows selected.