OGG WALLET TDE

-- How is the master key used in TDE encryption? 

Transparent data encryption implements two levels of encryption in the database - encryption of actual data using an encryption key and subsequent encryption of this encryption key using the master key. The data is encrypted using a randomly generated encryption key using the algorithm used for encryption and by default this is AES192 for column encryption and AES128 for tablespace encryption, if an algorithm is not explicitly specified with the ENCRYPT clause while creating encrypted database objects. This randomly generated encryption key is encrypted using the master key and stored inside the database, this second level encryption is done using AES256. The TDE masterkey is always AES256 and cannot currently be changed. The master key will be stored external to the database in a wallet or hardware security module (HSM).

-- How is the master key accessed by the database ?

If the wallet is an auto-login wallet, when an encrypted object is accessed for the first time, the wallet will be opened and master key will be loaded into memory. If the wallet is not auto-login, then the wallet must be opened using the the below command before encrypted data can be decrypted. 

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<wallet_password>";

When this command is issued, the wallet is opened and the master key is loaded into the SGA memory. Once the wallet is opened , it will remain open until it is closed explicitly or naturally when the database is shutdown. Therefore, the master key is retained in memory for all future encryption and decryption operations performed.

A side effect of this design is that even if the wallet is removed or moved, encryption and decryption operations continue without errors using the master key from memory. However, if an attempt to reset the master key is made, although a new wallet is created with a master key, the error "ORA-28362 : master key not found" will be generated. The master key will be flushed from the memory when the wallet is closed explicitly or the database is shutdown.

-- Will the existing encrypted data be re-encrypted when the Master Key is reset ?

When the master key is reset, a new master key is generated and stored in the wallet, along with the old one and all further encryption operations will use the new master key. The existing encrypted data in the database will not be re-encrypted, since this data was encrypted using the random encryption key generated by the encryption algorithm. But, the (second level) encryption key used for the user data encryption will be decrypted using the old master key and re-encrypted using the new master key generated and stored in the database.

As a consequence this is also the reason why wallets should not ever be deleted or moved . The newly generated wallet will contain a new master key which cannot be used for the decryption of the existing encrypted data.