The client plugged a non-encrypted PDB into a CDB with TDE Encryption Wallet enabled. All works fine, we can read the data. However when trying to create a tablespace we get:<\/p>\n\n\n
\nCDB1 SQL> create tablespace TBS_NEW;\nError starting at line : 1 in command -\ncreate tablespace t1\nError report -\nORA-28374: typed master key not found in wallet\n28374. 0000 - "typed master key not found in wallet"\n*Cause: You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet.\n*Action: Copy the correct Oracle Wallet from the instance where the tablespace was created.\n<\/pre><\/div>\n\n\nWhat is wrong? <\/p>\n\n\n\n\n\n\n\n
When we check, the wallet is correctly open:<\/p>\n\n\n
\nCDB1 SQL> select con_id,WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET;\n \n CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS\n_________ ___________________________________ ___________ ______________ _________\n 1 \/u00\/app\/oracle\/wallet_root\/tde\/ FILE AUTOLOGIN OPEN\n 2 FILE AUTOLOGIN OPEN\n 3 FILE AUTOLOGIN OPEN\n<\/pre><\/div>\n\n\nThere is a key in the wallet:<\/p>\n\n\n
\nCDB1 SQL> select CON_ID, KEY_ID, TAG, CREATION_TIME from V$ENCRYPTION_KEYS;\n\n CON_ID KEY_ID TAG CREATION_TIME\n_________ _______________________________________________________ ______ _________________________________________\n\n 1 AgGDqo\/DF0+Ev+BNDtn\/CX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-AUG-25 11.39.27.188627000 AM +01:00\n<\/pre><\/div>\n\n\nBut this key is not the one that is missing. We can find the missing Key ID in the alertlog error that was generated during the tablespace creation:<\/p>\n\n\n
\nKZTDE:kztsmptc: Missing Key ID: Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nKZTDE:kztsmptc: keystore_type: 3, wallet_type: 1,wallet location: file:\/u00\/app\/oracle\/wallet_root\/tde\/\n<\/pre><\/div>\n\n\nThe client had also moved the wallet away a created a new one! Luckily he did keep a backup of the old wallet.<\/p>\n\n\n\n
Using orapki <\/code>(could also be with mkstore<\/code>) one can see the keys inside a ewallet.p12 file. If the autologin cwallet.sso file is in the same directory, we do not even need to give a password. So on the wallet backup folder I could find the missing key ID:<\/p>\n\n\n\noracle@clientvm-01:\/u00\/app\/oracle\/wallet_root\/tde_bak\/ [CDB1] orapki wallet display -wallet .\nOracle PKI Tool Release 19.0.0.0.0 - Production\nVersion 19.4.0.0.0\nCopyright (c) 2004, 2025, Oracle and\/or its affiliates. All rights reserved.\n\nRequested Certificates:\nSubject: CN=oracle\nUser Certificates:\nOracle Secret Store entries:\nORACLE.SECURITY.DB.ENCRYPTION.Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.AZkaN9i5j0\/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY\nORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.4220F3678B1641F7E063E061A10ACD56\nORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.456D1D98EB222943E063E061A10AB457\nORACLE.SECURITY.ID.ENCRYPTION.\nORACLE.SECURITY.KB.ENCRYPTION.\nORACLE.SECURITY.KM.ENCRYPTION.Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KM.ENCRYPTION.AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KM.ENCRYPTION.AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KM.ENCRYPTION.AZkaN9i5j0\/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n<\/pre><\/div>\n\n\nTo copy only one key from one wallet to another, we need to pass through a “Export file”. And I need the old wallet password. As I needed to perform this without downtime of the actual DB, I need to open the old wallet in a different database. <\/p>\n\n\n\n
For that I used a temporary DB. There I close the wallet being used:<\/p>\n\n\n
\nTEMP-DB SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;\n<\/pre><\/div>\n\n\nBackup the current wallet files and put there the wallet where I’ve my key to be exported. And I can query it (no need to restart the database!). We can also use a database in nomount state.<\/p>\n\n\n
\nTEMP-DB SQL> select CON_ID, KEY_ID from V$ENCRYPTION_KEYS;\n\n CON_ID KEY_ID \n_________ _______________________________________________________ ______ ________________\n 1 Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n 1 AZkaN9i5j0\/Lv5Blkaftlt4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n 3 AQvvtK3wXU80v8uIKWQ1W54AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n 3 AWyv53k7BE8Iv57k5AU0cBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n<\/pre><\/div>\n\n\nNow I can export the key I need:<\/p>\n\n\n
\nTEMP-DB SQL> ADMINISTER KEY MANAGEMENT EXPORT KEYS WITH SECRET "export_password" TO '\/home\/oracle\/tdekeys.exp' FORCE KEYSTORE IDENTIFIED BY "wallet_password" WITH IDENTIFIER IN 'Agk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';\n<\/pre><\/div>\n\n\nAnd from the problematic database I can import the missing key:<\/p>\n\n\n
\nCDB1 SQL>ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "export_password" FROM '\/home\/oracle\/tdekeys.exp' FORCE KEYSTORE IDENTIFIED BY "wallet_password" WITH BACKUP;\nKey MANAGEMENT succeeded.\n\nCDB1 SQL> select CON_ID, KEY_ID, TAG, CREATION_TIME from V$ENCRYPTION_KEYS;\n\n CON_ID KEY_ID TAG CREATION_TIME\n_________ _______________________________________________________ ______ _________________________________________\n 1 Adk1vEoYhE8jv2zFM+xWGFkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-APR-25 11.25.35.396506000 AM +01:00\n 1 AaGDqo\/DF0+Ev+BNDtn\/CX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17-AUG-25 11.39.27.188627000 AM +01:00\n<\/pre><\/div>\n\n\nThe key is now there – the con_id is not important, we can do this operations from the root container.<\/p>\n\n\n\n
The tablespace creation now works:<\/p>\n\n\n
\nCDB1 SQL> create tablespace TBS_NEW;\nTablespace TBS_NEW created.\n\nCDB1 SQL> drop tablespace TBS_NEW;\nTablespace TBS_NEW dropped.\n<\/pre><\/div>\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
The client plugged a non-encrypted PDB into a CDB with TDE Encryption Wallet enabled. All works fine, we can read the data. However when trying to create a tablespace we get: What is wrong?<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,39,81,9],"tags":[],"class_list":["post-1037","post","type-post","status-publish","format-standard","category-oracle","category-oracle-19c","category-oracle-23ai","category-security","czr-hentry"],"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=1037"}],"version-history":[{"count":4,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1037\/revisions"}],"predecessor-version":[{"id":1041,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1037\/revisions\/1041"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=1037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=1037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=1037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}