Verify Master Encryption Key
This section provides information on how to verify the master encryption key (v$encryption_keys).
To verify Master Key, run the following sample query:
Sample:
select key_id,creation_time,key_use,keystore_type,origin,con_id from v$encryption_keys order by CREATION_TIME desc;
v$encryption_keys supports up to 0.5 million keys in CipherTrust Manager LTS version 2.11.1 and higher.
Note
It will list all key's metadata available in the domain only for the keys which has
Opaque_Object.System performance is dependent on the number of keys being managed and the allocated machine resources, which may impact overall efficiency and response time while executing v$encryption_keys.
Understanding the DATA_OBJECT_SUPPORTED_IDEN Object
When using Oracle TDE with CipherTrust Manager, you may encounter an opaque object named DATA_OBJECT_SUPPORTED_IDEN. This section answers common questions about this object and its management.
What is the
DATA_OBJECT_SUPPORTED_IDENobject?DATA_OBJECT_SUPPORTED_IDENis an opaque object automatically created by Oracle within CipherTrust Manager the first time the Oracle TDE keystore is opened. It is a one-time creation; if the object already exists, a new one will not be created.What is its role in CipherTrust Manager?
This object is essential for the proper functioning of the Oracle
V$ENCRYPTION_KEYSview. Oracle uses this object to query key metadata from CipherTrust Manager. If this object does not exist or is inaccessible, the functionality of theV$ENCRYPTION_KEYSview may be impacted.How is its owner assigned?
The owner of the
DATA_OBJECT_SUPPORTED_IDENobject is the same CipherTrust Manager user that was used to initially open the Oracle keystore.What is the impact of changing the owner?
Changing the owner of the
DATA_OBJECT_SUPPORTED_IDENobject is not recommended. This action will cause theV$ENCRYPTION_KEYSview to stop working.What happens if the owner of
DATA_OBJECT_SUPPORTED_IDENis deleted?Deleting the owner of this object can have severe consequences. If the deleted user is also the owner of the Master Encryption Key (MEK), the Oracle wallet may be closed. This will prevent all cryptographic operations, potentially leading to database downtime.
What should be done if the
DATA_OBJECT_SUPPORTED_IDENobject is accidentally deleted?If the
DATA_OBJECT_SUPPORTED_IDENobject is deleted from CipherTrust Manager, you can recover by closing and then re-opening the Oracle wallet.-- Close the wallet ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>"; -- Re-open the wallet ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";During the re-opening process, Oracle detects that the object is missing and automatically sends a request to CAKM for Oracle TDE to recreate it on CipherTrust Manager. After this is complete, the
V$ENCRYPTION_KEYSview will function correctly again.How can other users view
v$encryption_keys?To allow multiple CipherTrust Manager users with
Key_Userprivileges to view thev$encryption_keys, they must be granted permissions on theDATA_OBJECT_SUPPORTED_IDENobject. The recommended way to do this is:Create a group in CipherTrust Manager.
Add the desired users to this group.
Grant this group
Read,Use, andExportpermissions on theDATA_OBJECT_SUPPORTED_IDENobject.
