Home » RDBMS Server » Security » Oracle Wallet Autologin - can't move it to another machine? (Oracle RDBMS 11gR2)
Oracle Wallet Autologin - can't move it to another machine? [message #577898] Thu, 21 February 2013 10:05 Go to next message
gatsby
Messages: 21
Registered: March 2006
Junior Member
I'm reviewing the method of setting up transparent data encryption (TDE) and the role Oracle Wallet plays in that process. One statement that caught my attention was this statement in the documentation:

Quote:
You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created."


Source: http://docs.oracle.com/cd/E11882_01/network.112/e10746/asotrans.htm#autoId8

Does anyone have insight into why an auto-login wallet can't be moved to another computer? For example, if my Oracle database server goes down and I'm in a recovery situation, would an autologin Oracle wallet file restored from tape not work? Perhaps it's something obvious, but I'm still looking for more info so insight would be appreciated.

[Updated on: Thu, 21 February 2013 10:06]

Report message to a moderator

Re: Oracle Wallet Autologin - can't move it to another machine? [message #577905 is a reply to message #577898] Thu, 21 February 2013 10:20 Go to previous messageGo to next message
Michel Cadot
Messages: 58487
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
As a small security point.
You cannot then use a wallet you have generated on your PC to get encrypted data.

Regards
Michel
Re: Oracle Wallet Autologin - can't move it to another machine? [message #577922 is a reply to message #577905] Thu, 21 February 2013 16:03 Go to previous messageGo to next message
gatsby
Messages: 21
Registered: March 2006
Junior Member
So no Oracle wallet file can be moved and re-used on another machine, regardless of whether it is auto-login or not?

For example, I have "Server A" which houses some encrypted tablespaces. Server A's hardware fails completely so I have to bring up a new server..."Server B": fresh OS, fresh install of Oracle 11g, etc. I have a tape backup of the Oracle wallet file and my datapump, RMAN backups. These backups have been encrypted using the Oracle wallet historically used on Server A.

If I restore my copy of the Oracle wallet file from tape to "Server B", I can't use it to decrypt my data that I now have only existing on tape, due to the failure of Server A?

Here's what I'm seeing in a simulated attempt of moving a copy of the Oracle wallet file from Server A to Server B in my test lab. I can seem to open the Oracle wallet file using my expected password while on Server B, but I can't create any new tablespaces.

SQL> alter system set encryption wallet open identified by "mypass";

System altered.

SQL> create tablespace myTable
2 datafile '/var/oracle/oradata/myDB/myTable.dbf'
3 size 150M
4 encryption
5 default storage(encrypt);
create tablespace myTable
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet

If the Oracle wallet can't be "plugged in" to another server as long as the password is known, doesn't this mean the data can't be recovered if it's encrypted and the original server goes down?

[Updated on: Thu, 21 February 2013 16:05]

Report message to a moderator

Re: Oracle Wallet Autologin - can't move it to another machine? [message #577956 is a reply to message #577922] Fri, 22 February 2013 01:29 Go to previous message
Michel Cadot
Messages: 58487
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
So no Oracle wallet file can be moved and re-used on another machine, regardless of whether it is auto-login or not?


Only auto-login, afaik. I used other ones for Oracle Secure Password Store generating them anywhere with no problem.
I never try to generate wallet for TDE on another server; maybe you can do it and tell us the answer.

Quote:
If the Oracle wallet can't be "plugged in" to another server as long as the password is known, doesn't this mean the data can't be recovered if it's encrypted and the original server goes down?


Maybe Oracle has a way, I have not. Oracle does not say what on the server, the key is based on.
Why don't use a non-auto-login wallet?
You can open it in a database startup trigger, so you have the same feature with a auto-login wallet.

Regards
Michel

Regards
Michel


Previous Topic: GRANT Privs TO ROLES
Next Topic: How to rebuild AUD$
Goto Forum:
  


Current Time: Tue Jul 22 14:37:21 CDT 2014

Total time taken to generate the page: 0.12709 seconds