The client plugged a non-encrypted PDB into a CDB with TDE Encryption Wallet enabled. All works fine, we can read the data. However when trying to create a tablespace we get:
CDB1 SQL> create tablespace TBS_NEW;
Error starting at line : 1 in command -
create tablespace t1
Error report -
ORA-28374: typed master key not found in wallet
28374. 0000 - "typed master key not found in wallet"
*Cause: You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet.
*Action: Copy the correct Oracle Wallet from the instance where the tablespace was created.
What is wrong?
When we check, the wallet is correctly open:
CDB1 SQL> select con_id,WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET;
CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS
_________ ___________________________________ ___________ ______________ _________
1 /u00/app/oracle/wallet_root/tde/ FILE AUTOLOGIN OPEN
2 FILE AUTOLOGIN OPEN
3 FILE AUTOLOGIN OPEN
There is a key in the wallet:
CDB1 SQL> select CON_ID, KEY_ID, TAG, CREATION_TIME from V$ENCRYPTION_KEYS;
CON_ID KEY_ID TAG CREATION_TIME
_________ _______________________________________________________ ______ _________________________________________
1 AgGDqo/DF0+Ev+BNDtn/CX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-AUG-25 11.39.27.188627000 AM +01:00
But this key is not the one that is missing. We can find the missing Key ID in the alertlog error that was generated during the tablespace creation:
KZTDE:kztsmptc: Missing Key ID: Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
KZTDE:kztsmptc: keystore_type: 3, wallet_type: 1,wallet location: file:/u00/app/oracle/wallet_root/tde/
The client had also moved the wallet away a created a new one! Luckily he did keep a backup of the old wallet.
Using orapki (could also be with mkstore) one can see the keys inside a ewallet.p12 file. If the autologin cwallet.sso file is in the same directory, we do not even need to give a password. So on the wallet backup folder I could find the missing key ID:
oracle@clientvm-01:/u00/app/oracle/wallet_root/tde_bak/ [CDB1] orapki wallet display -wallet .
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZkaN9i5j0/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.4220F3678B1641F7E063E061A10ACD56
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.456D1D98EB222943E063E061A10AB457
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AZkaN9i5j0/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
To copy only one key from one wallet to another, we need to pass through a “Export file”. And I need the old wallet password. As I needed to perform this without downtime of the actual DB, I need to open the old wallet in a different database.
For that I used a temporary DB. There I close the wallet being used:
TEMP-DB SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;
Backup the current wallet files and put there the wallet where I’ve my key to be exported. And I can query it (no need to restart the database!). We can also use a database in nomount state.
TEMP-DB SQL> select CON_ID, KEY_ID from V$ENCRYPTION_KEYS;
CON_ID KEY_ID
_________ _______________________________________________________ ______ ________________
1 Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1 AZkaN9i5j0/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3 AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3 AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Now I can export the key I need:
TEMP-DB SQL> ADMINISTER KEY MANAGEMENT EXPORT KEYS WITH SECRET "export_password" TO '/home/oracle/tdekeys.exp' FORCE KEYSTORE IDENTIFIED BY "wallet_password" WITH IDENTIFIER IN 'Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
And from the problematic database I can import the missing key:
CDB1 SQL>ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "export_password" FROM '/home/oracle/tdekeys.exp' FORCE KEYSTORE IDENTIFIED BY "wallet_password" WITH BACKUP;
Key MANAGEMENT succeeded.
CDB1 SQL> select CON_ID, KEY_ID, TAG, CREATION_TIME from V$ENCRYPTION_KEYS;
CON_ID KEY_ID TAG CREATION_TIME
_________ _______________________________________________________ ______ _________________________________________
1 Adk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-APR-25 11.25.35.396506000 AM +01:00
1 AaGDqo/DF0+Ev+BNDtn/CX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-AUG-25 11.39.27.188627000 AM +01:00
The key is now there – the con_id is not important, we can do this operations from the root container.
The tablespace creation now works:
CDB1 SQL> create tablespace TBS_NEW;
Tablespace TBS_NEW created.
CDB1 SQL> drop tablespace TBS_NEW;
Tablespace TBS_NEW dropped.