Oracle Transparent Data Encryption (TDE) Wallet Setup

Oracle TDE Wallet Setup: What It Is, How It Works, and Best Practices

Oracle Transparent Data Encryption (TDE) protects data at rest—but that protection depends entirely on how encryption keys are managed.

At the centre of this is the TDE wallet (keystore).

If the wallet is misconfigured, unavailable, or lost:
Your encrypted database cannot be accessed or recovered

Here I explain:

• What a TDE wallet is
• How to set it up
• Different wallet types 
• Best practices for production environments
• What changes in Oracle Database 26ai
  

What is an Oracle TDE wallet?

An Oracle TDE wallet (keystore) is a secure container that stores the master encryption keys used to encrypt and decrypt database data.

These master keys protect:

• Tablespace encryption keys
• Column encryption keys

Without the wallet, encrypted data cannot be accessed—even by the database itself.

Why TDE wallet management matters

How do you set up an Oracle TDE wallet?

Setting up a TDE wallet involves five key steps:

1. Configure wallet location and parameters
2. Create the keystore
3. Open the wallet
4. Set the master encryption key
5. (Optional) Configure auto-login

These steps enable Oracle Database to manage encryption keys securely.

Types of TDE Wallets

Oracle Database supports three primary types of TDE wallets,

1. Password-Protected Wallet (ewallet.p12)

• File name: ewallet.p12 (PKCS#12 standard)

• Requires manual password entry to open the wallet

• Must be explicitly opened after each database startup

• Highest security option as it prevents automatic access

• Required for master key operations (rotation, rekeying)

2. Auto-Login Wallet (cwallet.sso)

• File name: cwallet.sso (Single Sign-On)

• Opens automatically on database startup without a password

• Can be used on multiple machines

• Created from a password-protected wallet

• Important: You must retain the ewallet.p12 file for key management operations

3. Local Auto-Login Wallet

• Similar to auto-login but with additional machine binding

• Can only be opened on the machine where it was created

• Uses host-specific factors for additional security

Recommended for production environments requiring both convenience and security

TDE wallet setup (step-by-step)

Step 1: Configure wallet location

Before creating any keystores, you must configure the WALLET_ROOT and TDE_CONFIGURATION parameters:

-- Set wallet root directory

ALTER SYSTEM SET WALLET_ROOT='/u01/app/oracle/wallet' SCOPE=SPFILE;

-- Configure TDE to use file-based keystore

ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=FILE' SCOPE=SPFILE;

-- Restart the database for changes to take effect

Important: The TDE wallet must be stored in a subdirectory named 'tde' under WALLET_ROOT. Oracle Database will automatically create this directory structure when you create the keystore.

Step 2: Create the keystore

-- Create the TDE keystore directory (if not automatically created)

!mkdir -p /u01/app/oracle/wallet/tde

-- Create the password-protected keystore

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY 'YourSecurePassword';

Critical: Never forget your wallet password! Without it, you cannot perform key management operations or recover your data. Store the password securely in your organisation's password vault.

Step 3: Open the wallet
--Before encryption operations can be performed, the TDE wallet must be opened.
This step makes the master encryption key available to the database.

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY 'YourSecurePassword' CONTAINER=ALL;

If the TDE wallet is not open:

- Encrypted data cannot be decrypted
- Queries against encrypted tablespaces may fail
- Database startup can be blocked in some configurations

This is one of the most common operational issues when implementing TDE.

Step 4: Set the Master Encryption Key

-- Create the master encryption key with backup

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY 'YourSecurePassword' WITH BACKUP CONTAINER=ALL;

Step 5: Create Auto-Login Wallet (Optional)

For production environments where automatic wallet opening is desired, create an auto-login wallet:

-- Create standard auto-login wallet

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY 'YourSecurePassword';

-- OR create a local auto-login wallet (recommended for better security)

ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY 'YourSecurePassword';

Step 6: Verify Wallet Status

-- Check wallet status

SELECT * FROM V$ENCRYPTION_WALLET;

TDE wallet setup summary

To configure a TDE wallet in Oracle Database:

1. Set WALLET_ROOT and TDE configuration
2. Create the keystore
3. Open the wallet
4. Set the master encryption key
5. Configure auto-login (optional)

These steps enable encryption and secure key management.

TDE wallets and disaster recovery

TDE wallet best practices

Password management

• Never store passwords in scripts

• Use secure password vaults

• Maintain recovery procedures

Wallet file protection

• Restrict permissions (600/700)
• Store on encrypted file systems
• Backup wallets securely

Key management

• Always use WITH BACKUP
• Rotate keys regularly
• Retain historical keys

Production recommendations

• Use local auto-login wallets
• Separate wallet locations per database
• Test disaster recovery regularly
• Monitor wallet status

Oracle Database 26ai changes to TDE wallets

Oracle AI Database 26ai introduces several significant changes to TDE wallet management and encryption capabilities. Understanding these changes is crucial for planning upgrades and ensuring security compliance.

Deprecated and Desupported Parameters

ENCRYPTION_WALLET_LOCATION Desupported

• The ENCRYPTION_WALLET_LOCATION parameter is completely desupported in 26ai

• You must use WALLET_ROOT structure (introduced in Oracle Database 18c)

• Critical: If TDE is enabled but WALLET_ROOT is not configured, you will be blocked from upgrading to 26ai

WALLET_LOCATION Deprecated (Server Only)

• WALLET_LOCATION is deprecated for Oracle Database server use

• It remains supported for client and listener configurations

Wallet Management Tool Changes

Oracle Wallet Manager (OWM) Desupported

• The GUI-based Oracle Wallet Manager is no longer available

• Oracle recommends using the orapki command-line tool instead

mkstore Deprecated

• The mkstore utility is deprecated in Oracle 26ai

• Use orapki for wallet and certificate management

• Note: For TDE keystore management, continue using ADMINISTER KEY MANAGEMENT statements

Enhanced Encryption Algorithms and Modes

Default Algorithm Changed to AES256

• Previous default for column encryption: AES192

• Previous default for tablespace encryption: AES128

• New default for both: AES256 (stronger security)

New Encryption Modes

• Column encryption: Now uses Galois/Counter Mode (GCM) instead of Cipher Block Chaining (CBC)

• Tablespace encryption: Now uses tweakable block ciphertext stealing (XTS) instead of Cipher Feedback (CFB)

• XTS provides improved security and better performance, especially with parallel processing

• RMAN integrity checks now use SHA512 instead of SHA1

Deprecated Algorithms

• GOST and SEED algorithms are deprecated

• Decryption libraries remain available for existing data

• New encryption keys cannot use these algorithms

Oracle Data Guard Enhancements

New TABLESPACE_ENCRYPTION Parameter (19.16)

• Controls automatic encryption of tablespaces in primary and standby databases

• Enables hybrid cloud disaster recovery where the cloud database is encrypted, but the on-premises database is not

DB_RECOVERY_AUTO_REKEY Support

• Now available for Oracle Data Guard environments (26ai)

• Controls whether the standby database automatically rekeys tablespaces during recovery

Conclusion

TDE wallet management is a foundational component of Oracle Database security, but it also has direct implications for availability, recovery, and operational resilience. As Oracle continues to evolve TDE with Oracle AI Database 26ai, introducing stronger encryption defaults, new modes, and deprecating legacy tools and parameters, organisations must ensure their wallet configurations are aligned with these changes.

The move to the WALLET_ROOT structure, the deprecation of utilities such as Oracle Wallet Manager and mkstore, and the adoption of AES256 with modern encryption modes reflect Oracle’s focus on strengthening database security. However, these changes also raise the importance of disciplined wallet management - including proper configuration, secure management practices, and thorough testing.

Remember that TDE is only as secure as your wallet management practices. Secure backups of your wallet files, careful password policies, the appropriate use of local auto-login wallets in production, and regular testing, including Disaster Recovery testing, are essential to avoid situations where your encrypted databases become unavailable at the moment you need them most. For enterprise environments, Oracle Key Vault can be considered for centralised key management and enhanced security.

By following the practices outlined in this blog, teams can implement and manage TDE wallets in a way that supports both strong security and reliable database continuity, while fully leveraging the enhancements available in Oracle AI Database 26ai.

READ other articles in this series:

Top 5 FAQs

1. What is an Oracle TDE wallet?

An Oracle TDE wallet is a secure keystore that stores the master encryption keys used to encrypt and decrypt database data.

2. How do you create a TDE wallet in Oracle?

You create a TDE wallet by configuring WALLET_ROOT, creating the keystore using ADMINISTER KEY MANAGEMENT, opening the wallet, and setting the master encryption key.

3. What are the types of TDE wallets?

Oracle supports password-protected wallets, auto-login wallets, and local auto-login wallets, each offering different levels of security and automation.

4. What happens if the TDE wallet is lost?

If the TDE wallet is lost, encrypted data cannot be decrypted, and the database cannot be opened or recovered.

5. Why is TDE wallet management important for disaster recovery?

TDE wallet management is critical because the wallet must be available at the recovery site; otherwise, failover and recovery operations will fail.