Error

Error Code: ORA-28362

Oracle Error ORA-28362: Master Key Missing

📦 Oracle Database

📋

Description

The ORA-28362 error indicates that the required master key for encryption could not be found by the Oracle database. This typically occurs when the database is unable to access or correctly interpret the wallet containing the master key.

💬

Error Message

ORA-28362: master key not found

🔍

Known Causes

4 known causes

⚠️

Incorrect Wallet Path

The wallet location specified in the database configuration is incorrect, preventing access to the master key. 💻

⚠️

Corrupted Wallet

The wallet file containing the master key has become corrupted or damaged, rendering it unusable. 🔒

⚠️

Wrong Wallet Type

An incorrect type of wallet (e.g., SSO wallet instead of an encrypted wallet) is being used for the encryption setup. ⚙

⚠️

Insufficient Permissions

The database user lacks the necessary permissions to access the wallet directory or files. 🔒

🛠️

Solutions

4 solutions available

1. Verify TDE Wallet Status and Configuration medium

Ensures the Transparent Data Encryption (TDE) wallet is correctly configured and accessible.

Check the status of the TDE wallet. This involves verifying that the wallet is open and that the master key is available. You can do this by attempting to open the wallet using SQL*Plus or by checking the Oracle Net configuration.

sqlplus / as sysdba

-- Attempt to open the wallet if it's not already open
ADMINISTER KEY MANAGEMENT SET KEYSTORE 'file:/path/to/your/tde_wallet' IDENTIFIED BY "your_wallet_password";

-- Verify if the master key is available
SELECT * FROM V$ENCRYPTION_KEYS;

Ensure the `sqlnet.ora` file correctly points to the TDE wallet location. This file is crucial for Oracle to find and access the wallet.

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/path/to/your/tde_wallet)))

Confirm that the wallet password used in `ADMINISTER KEY MANAGEMENT` command matches the actual password of the TDE wallet. Incorrect passwords will prevent the wallet from opening and the master key from being found.

2. Restart Oracle Database and Listener easy

A simple restart can resolve transient issues with wallet accessibility.

Stop the Oracle database instance gracefully.

sqlplus / as sysdba

SHUTDOWN IMMEDIATE;
EXIT;

Stop the Oracle Net Listener.

lsnrctl stop

Start the Oracle Net Listener.

lsnrctl start

Start the Oracle database instance.

sqlplus / as sysdba

STARTUP;
EXIT;

After the database and listener are running, try to access the encrypted data or perform an operation that requires the master key. If the error persists, proceed to more advanced troubleshooting.

3. Restore TDE Wallet from Backup advanced

Recovers the TDE wallet and its master key from a valid backup.

Ensure you have a recent and valid backup of your TDE wallet. This is critical for recovery. The wallet is typically a directory containing several files.

Stop the Oracle database instance and listener as described in the 'Restart Oracle Database and Listener' solution.

sqlplus / as sysdba

SHUTDOWN IMMEDIATE;
EXIT;

lsnrctl stop

Replace the current TDE wallet directory with the restored backup. **Caution:** This will overwrite any changes made since the last backup.

sudo rm -rf /path/to/your/tde_wallet
sudo cp -rp /path/to/your/tde_wallet_backup/* /path/to/your/tde_wallet

Start the Oracle Net Listener and then the Oracle database instance.

lsnrctl start

sqlplus / as sysdba

STARTUP;
EXIT;

Verify that the TDE wallet is accessible and the master key can be found by checking `V$ENCRYPTION_KEYS`.

sqlplus / as sysdba

SELECT * FROM V$ENCRYPTION_KEYS;
EXIT;

4. Re-key TDE Master Key advanced

Generates a new TDE master key, effectively replacing the lost or inaccessible one.

This is a destructive operation and should only be performed if the master key is irretrievably lost. This process will encrypt all data previously protected by the old master key with the new one. Ensure you have backups before proceeding.

Stop the Oracle database instance and listener.

sqlplus / as sysdba

SHUTDOWN IMMEDIATE;
EXIT;

lsnrctl stop

Open the TDE wallet.

sqlplus / as sysdba

ADMINISTER KEY MANAGEMENT SET KEYSTORE 'file:/path/to/your/tde_wallet' IDENTIFIED BY "your_wallet_password";

Generate a new master encryption key. This command will prompt for confirmation.

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "your_new_master_key_password";

Close the wallet.

ADMINISTER KEY MANAGEMENT CLOSE KEYSTORE;

Restart the Oracle Net Listener and then the Oracle database instance.

lsnrctl start

sqlplus / as sysdba

STARTUP;
EXIT;

All data encrypted with the old master key will now be inaccessible. You will need to re-encrypt your data using the new master key. This can be done by re-keying tablespaces or by exporting and importing data.