Home » RDBMS Server » Security » Remove and Disable the HSM (ORACLE 11GR2)
Remove and Disable the HSM [message #686229] Tue, 05 July 2022 05:18 Go to next message
keenweng2001
Messages: 9
Registered: August 2020
Junior Member
Hi ,

Does any one have any idea how to remove/disabled the HSM and remove the column encryption from Oracle 11GR2 ?

The first step I will do is Decrypt all the encrypted column (example : ALTER TABLE TEST4 MODIFY (birthname DECRYPT))

But I do not know how to switch from the HSM to local wallet ? any experience user can provide any reference ?

[oracle@D1 admin]$ cat sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /u01/app/oracle
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))

sqlnet.allowed_logon_version=11
Re: Remove and Disable the HSM [message #686230 is a reply to message #686229] Tue, 05 July 2022 12:10 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
I'll try, but I think all I can do is warn you of possible problems.

Removing TDE can be difficult: You can destroy your database. As I understand it (which may not be correct) the problem is that Oracle maintains the encryption for data in undo and temp tablespaces. So, without your knowledge, it is generating keys for those tablespaces in addition to the keys you know about. So if you remove the encryption for your tablespaces or columns and then replace the wallet your database is stuffed because you have also removed the keys for temp and undo. Keys that you didn't know existed.

I would not attempt what you are doing without raising a TAR (the soul destroying process of engaging with Oracle Support....)
Re: Remove and Disable the HSM [message #686231 is a reply to message #686230] Tue, 05 July 2022 12:57 Go to previous messageGo to next message
keenweng2001
Messages: 9
Registered: August 2020
Junior Member
The production database have migrated to other platform . So what I am trying to do here is remove the dependency on the hardware module . So that I can RMAN dump the database to other server (without HSM or TDE) for future references and move the HSM server to decommission .

I have cross check with script --- SELECT tablespace_name, encrypted, status FROM dba_tablespaces , there are no encrypted tablespace . only few table columns was encrypted.

I have a second thought , if I can alter all the encrypted column and change it to decrypt . Does it still really matter if I remove the HSM configuration or not ? Do I able to restore this database to other server (without HSM or TDE).
Re: Remove and Disable the HSM [message #686232 is a reply to message #686231] Wed, 06 July 2022 01:00 Go to previous message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
This is a different question. I think you want to decrypt the columns, then do an RMAN duplicate. I can see no reason why that would not work. What happens when you try it?
Previous Topic: TDE wallet creation and setup
Next Topic: Getting password
Goto Forum:
  


Current Time: Thu Mar 28 14:28:12 CDT 2024