Wednesday, 27 February 2019

Linux - Store Oracle Transparent Encryption pass phrase remotely

I've setup Transparent Database Encryption (TDE) on one of my databases.
I don't want to use auto login or local auto login as that would defeat encrypting the database in the first place.
I do want to automatically open the wallet when I startup the database.

Here's how I fixed it.

First, as root, I need to mount a remote file system and add it to /etc/fstab.

As the Oracle user I need to generate my RSA private and public keys.
openssl genrsa -out ~/.rsa_key.pri 2048
openssl rsa -in ~/.rsa_key.pri -out ~/.rsa_key.pub -outform PEM -pubout
This creates two hidden files, the private key (.rsa_key.pri) and public key (.rsa_key.pub) in my home directory.

Now I need to pass my TDE pass phrase to openssl for it to encrypt and write to my remote file system.
echo "MyPassPhrase" | openssl rsautl -encrypt -inkey ~/.rsa_key.pub -pubin -out /remotefs/folder/file.name
Now I can use the following in a script to open the wallet without knowing or having to enter the TDE pass phrase.
passPhrase=$(openssl rsautl -decrypt -inkey ~/.rsa_key.pri -in /remotefs/folder/file.name)
sqlplus -s / as sysdba <<!
administer key management set keystore open identified by "$passPhrase";
!
You can easily wrap these commands in a script and use alongside dbstart in systemctl or manually.

No comments:

Post a comment

Oracle CPU downloader

Every quarter I have to go through and download numerous patches for the Oracle CPU (Critical Patch Update). You have to view the CPU docume...