Oracle Transparent Data Encryption (TDE) protects data at rest—but that protection depends entirely on how encryption keys are managed. At the centre of this is the TDE wallet (keystore). If the wallet is misconfigured, unavailable, or lost:
Your encrypted database cannot be accessed or recovered
Here I explain:
An Oracle TDE wallet (keystore) is a secure container that stores the master encryption keys used to encrypt and decrypt database data.
These master keys protect:
Without the wallet, encrypted data cannot be accessed—even by the database itself.
If the wallet is:
Then:
TDE wallet management is critical for both security and database continuity
Setting up a TDE wallet involves five key steps:
1. Configure wallet location and parameters
2. Create the keystore
3. Open the wallet
4.Set the master encryption key
5.(Optional) Configure auto-login
These steps enable Oracle Database to manage encryption keys securely.
Oracle Database supports three primary types of TDE wallets,
1. Password-Protected Wallet (ewallet.p12)
• File name: ewallet.p12 (PKCS#12 standard)
• Requires manual password entry to open the wallet
• Must be explicitly opened after each database startup
• Highest security option as it prevents automatic access
• Required for master key operations (rotation, rekeying)
2. Auto-Login Wallet (cwallet.sso)
• File name: cwallet.sso (Single Sign-On)
• Opens automatically on database startup without a password
• Can be used on multiple machines
• Created from a password-protected wallet
• Important: You must retain the ewallet.p12 file for key management operations
3. Local Auto-Login Wallet
• Similar to auto-login but with additional machine binding
• Can only be opened on the machine where it was created
• Uses host-specific factors for additional security
Recommended for production environments requiring both convenience and security
Before creating any keystores, you must configure the WALLET_ROOT and TDE_CONFIGURATION parameters:
-- Set wallet root directory
ALTER SYSTEM SET WALLET_ROOT='/u01/app/oracle/wallet' SCOPE=SPFILE;
-- Configure TDE to use file-based keystore
ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=FILE' SCOPE=SPFILE;
-- Restart the database for changes to take effect
Important: The TDE wallet must be stored in a subdirectory named 'tde' under WALLET_ROOT. Oracle Database will automatically create this directory structure when you create the keystore.
-- Create the TDE keystore directory (if not automatically created)
!mkdir -p /u01/app/oracle/wallet/tde
-- Create the password-protected keystore
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY 'YourSecurePassword';
Critical: Never forget your wallet password! Without it, you cannot perform key management operations or recover your data. Store the password securely in your organisation's password vault.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY 'YourSecurePassword' CONTAINER=ALL;
If the TDE wallet is not open:
- Encrypted data cannot be decrypted
- Queries against encrypted tablespaces may fail
- Database startup can be blocked in some configurations
This is one of the most common operational issues when implementing TDE.
-- Create the master encryption key with backup
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY 'YourSecurePassword' WITH BACKUP CONTAINER=ALL;
For production environments where automatic wallet opening is desired, create an auto-login wallet:
-- Create standard auto-login wallet
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY 'YourSecurePassword';
-- OR create a local auto-login wallet (recommended for better security)
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY 'YourSecurePassword';
-- Check wallet status
SELECT * FROM V$ENCRYPTION_WALLET;
TDE wallet setup summary
To configure a TDE wallet in Oracle Database:
1. Set WALLET_ROOT and TDE configuration
2. Create the keystore
3. Open the wallet
4. Set the master encryption key
5. Configure auto-login (optional)
These steps enable encryption and secure key management.
TDE wallets are critical in disaster recovery.
If the wallet is not available at the standby site:
In hybrid environments, wallet management must be consistent across systems.nThis is a common failure point in Oracle DR architectures
Password management
Never store passwords in scripts
Use secure password vaults
Maintain recovery procedures
Always use WITH BACKUP
Rotate keys regularly
Retain historical keys
Oracle AI Database 26ai introduces several significant changes to TDE wallet management and encryption capabilities. Understanding these changes is crucial for planning upgrades and ensuring security compliance.
ENCRYPTION_WALLET_LOCATION Desupported
The ENCRYPTION_WALLET_LOCATION parameter is completely desupported in 26ai
You must use WALLET_ROOT structure (introduced in Oracle Database 18c)
Critical: If TDE is enabled but WALLET_ROOT is not configured, you will be blocked from upgrading to 26ai
WALLET_LOCATION Deprecated (Server Only)
WALLET_LOCATION is deprecated for Oracle Database server use
It remains supported for client and listener configurations
Oracle Wallet Manager (OWM) Desupported
The GUI-based Oracle Wallet Manager is no longer available
Oracle recommends using the orapki command-line tool instead
mkstore Deprecated
The mkstore utility is deprecated in Oracle 26ai
Use orapki for wallet and certificate management
Note: For TDE keystore management, continue using ADMINISTER KEY MANAGEMENT statements
Default Algorithm Changed to AES256
Previous default for column encryption: AES192
Previous default for tablespace encryption: AES128
New default for both: AES256 (stronger security)
New Encryption Modes
Column encryption: Now uses Galois/Counter Mode (GCM) instead of Cipher Block Chaining (CBC)
Tablespace encryption: Now uses tweakable block ciphertext stealing (XTS) instead of Cipher Feedback (CFB)
XTS provides improved security and better performance, especially with parallel processing
RMAN integrity checks now use SHA512 instead of SHA1
Deprecated Algorithms
GOST and SEED algorithms are deprecated
Decryption libraries remain available for existing data
New encryption keys cannot use these algorithms
New TABLESPACE_ENCRYPTION Parameter (19.16)
Controls automatic encryption of tablespaces in primary and standby databases
Enables hybrid cloud disaster recovery where the cloud database is encrypted, but the on-premises database is not
DB_RECOVERY_AUTO_REKEY Support
Now available for Oracle Data Guard environments (26ai)
Controls whether the standby database automatically rekeys tablespaces during recovery
TDE wallet management is a foundational component of Oracle Database security, but it also has direct implications for availability, recovery, and operational resilience. As Oracle continues to evolve TDE with Oracle AI Database 26ai, introducing stronger encryption defaults, new modes, and deprecating legacy tools and parameters, organisations must ensure their wallet configurations are aligned with these changes.
The move to the WALLET_ROOT structure, the deprecation of utilities such as Oracle Wallet Manager and mkstore, and the adoption of AES256 with modern encryption modes reflect Oracle’s focus on strengthening database security. However, these changes also raise the importance of disciplined wallet management - including proper configuration, secure management practices, and thorough testing.
Remember that TDE is only as secure as your wallet management practices. Secure backups of your wallet files, careful password policies, the appropriate use of local auto-login wallets in production, and regular testing, including Disaster Recovery testing, are essential to avoid situations where your encrypted databases become unavailable at the moment you need them most. For enterprise environments, Oracle Key Vault can be considered for centralised key management and enhanced security.
By following the practices outlined in this blog, teams can implement and manage TDE wallets in a way that supports both strong security and reliable database continuity, while fully leveraging the enhancements available in Oracle AI Database 26ai.
An Oracle TDE wallet is a secure keystore that stores the master encryption keys used to encrypt and decrypt database data.
You create a TDE wallet by configuring WALLET_ROOT, creating the keystore using ADMINISTER KEY MANAGEMENT, opening the wallet, and setting the master encryption key.
Oracle supports password-protected wallets, auto-login wallets, and local auto-login wallets, each offering different levels of security and automation.
If the TDE wallet is lost, encrypted data cannot be decrypted, and the database cannot be opened or recovered.
TDE wallet management is critical because the wallet must be available at the recovery site; otherwise, failover and recovery operations will fail.