Example command output
encrypt.sh
encrypt
% ./encrypt.sh encrypt
Logging debug trace and output to: ./trace/encrypt_5.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
Encrypting database CDB1P with TDE using KeyControl
CDB1P is open read write
Set WALLET_ROOT now
WALLET ROOT (/opt/oracle/oradata/CDB1/wallet) ?
Creating WALLET_ROOT "/opt/oracle/oradata/CDB1/wallet" -------
Done
Set WALLET_ROOT to "/opt/oracle/oradata/CDB1/wallet" -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Done
Set TDE_CONFIGURATION to HSM -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Done
Opening HSM (KeyControl) KeyStore -------
Done
encrypt with KeyControl -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Done
Opening HSM (KeyControl) KeyStore -------
Done
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04092026_115029.report
It will be pushed to KeyControl and removed from local system.
Encryption of database CDB1P with TDE using KeyControl completedmigrate
% ./encrypt.sh migrate
Logging debug trace and output to: ./trace/encrypt_5.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
Migrating database CDB1P from Software Wallet to KeyControl
CDB1P is open read write
Removing Auto login Wallet -------
No auto login wallet found
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Set TDE_CONFIGURATION to FILE -------
Done
Opening Software Wallet and database in Read Write mode -------
Done
Backup Software Wallet with tag tde_backup -------
Done
Set TDE_CONFIGURATION to HSM|FILE -------
Done
Migrate to KeyControl -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Opening HSM (KeyControl) KeyStore and database in Read Write mode -------
Done
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04102026_134932.report
It will be pushed to KeyControl and removed from local system.
Migration of database CDB1P from Software Wallet to KeyControl completedreverse_migrate
% ./encrypt.sh reverse_migrate
Logging debug trace and output to: ./trace/encrypt_8.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
Reversing migration from KeyControl to Software Wallet for database CDB1P
CDB1P is open read write
Removing Auto login Wallet -------
Creating backup /opt/oracle/oradata/CDB1/wallet/tde/cwallet_04102026_144854.sso and removing auto login wallet /opt/oracle/oradata/CDB1/wallet/tde/cwallet.sso
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Set TDE_CONFIGURATION to FILE -------
Done
Opening Software Wallet and database in Read Write mode -------
Done
Remove Secret from Software Wallet -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Set TDE_CONFIGURATION to HSM -------
Done
Opening HSM (KeyControl) KeyStore and database in Read Write mode -------
Done
Set TDE_CONFIGURATION to FILE|HSM -------
Done
Reverse Migrate to Software Wallet -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Set TDE_CONFIGURATION to FILE -------
Done
Opening Software Wallet and database in Read Write mode -------
Done
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04102026_144854.report
It will be pushed to KeyControl and removed from local system.
Reversing migration from KeyControl to Software Wallet completedrotate_key
> ./encrypt.sh rotate_key
Logging debug trace and output to: ./trace/encrypt_7.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
Rotating TDE master key for database CDB1P using KeyControl
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04092026_134706_prerotate.report
It will be pushed to KeyControl and removed from local system.
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04092026_134706.report
It will be pushed to KeyControl and removed from local system.
Rotation of TDE master key for database CDB1P completedsetenv
% ./encrypt.sh setenv
Logging debug trace and output to: ./trace/encrypt_1.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database SID (CDB1) ?
ORACLE_BASE (/opt/oracle) ?
ORACLE_HOME (/opt/oracle/product/19c/dbhome_1) ?
Software Wallet Password () ?
Type Password again (***********) ?
Access token file (/opt/oracle/entrust/oracle.conf) ?
Successfully set environment variables for TDE scripts in ./oracle.env
Updated env cache ./oracle.tabsetup_auto_login
% ./encrypt.sh setup_auto_login
Logging debug trace and output to: ./trace/encrypt_6.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
Configuring auto login for KeyControl for database CDB1P
CDB1P is open read write
Set TDE_CONFIGURATION to HSM -------
Done
Closing HSM (KeyControl) KeyStore -------
Done
Set TDE_CONFIGURATION to FILE -------
Done
Opening Software Wallet -------
Done
Add Secret to Software Wallet -------
Done
Restarting database CDB1P -------
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Done
Create Auto login Keystore -------
Done
Set TDE_CONFIGURATION to HSM|FILE -------
Done
Restarting database CDB1P -------
ORA-01109: database not open
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 2432695832 bytes
Fixed Size 9137688 bytes
Variable Size 536870912 bytes
Database Buffers 1879048192 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Done
Opening All PDBs -------
Done
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04102026_135719.report
It will be pushed to KeyControl and removed from local system.
Configuration of auto login for KeyControl for database CDB1P completedstandby redo_log_status
% ./encrypt.sh standby redo_log_status
Logging debug trace and output to: ./trace/encrypt_7.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1S
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PHYSICAL STANDBY
Checking status of managed recovery process on standby server for database CDB1S
Managed Recovery Process
-------------------------
PROCESS STATUS THREAD# SEQUENCE#
--------- ------------ ---------- ----------
MRP0 APPLYING_LOG 1 21standby restart_redo_log_apply
% ./encrypt.sh standby restart_redo_log_apply
Logging debug trace and output to: ./trace/encrypt_4.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1S
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PHYSICAL STANDBY
Restarting managed recovery process on standby server for database CDB1S
Donestandby setup
% ./encrypt.sh standby setup
Logging debug trace and output to: ./trace/encrypt_1.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1S
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PHYSICAL STANDBY
.
.
.
Opening HSM (KeyControl) KeyStore -------
Done
recover database -------
Done
Opening database read only -------
Done
Setting DataGuard mapping for TDE KeyStore -------
Successfully updated config file /opt/oracle/entrust/oracle.conf
Done
Alter database to MOUNTED mode -------
Done
Restarting Redo Log apply -------
Done
Database report temporarily generated in file: /opt/hcs/tde_reports/CDB1_04092026_112443.report
It will be pushed to KeyControl and removed from local system.
Setup of TDE parameters on standby server for database CDB1S completedstandby stop_redo_log_apply
% ./encrypt.sh standby stop_redo_log_apply
Logging debug trace and output to: ./trace/encrypt_12.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1S
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PHYSICAL STANDBY
Stopping managed recovery process on standby server for database CDB1S
Donestatus
% ./encrypt.sh status
Logging debug trace and output to: ./trace/encrypt_2.trc
Oracle SID -------------- CDB1
Using configuration file: ./entrust.conf
Using environment file: ./oracle.env
Using access token file: /opt/oracle/entrust/oracle.conf
Database CDB1 is already running
Oracle UNQNAME ---------- CDB1P
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Database Role: PRIMARY
db_unique_name ------- CDB1P
Multitenant database ------- YES
Database type ------- Single instance
tde_configuration -------
db_create_file_dest -------
Current wallet_root -------
Calculated wallet_root ------- /opt/oracle/oradata/CDB1/wallet
Database encryption wallet ------- need to open wallet/s to check
Auto Login enabled ------- NO
Database state
-------------------------
Database Name Open Mode Database Role Switchover Status
--------------- ------------------------- ------------------------- -------------------------
CDB1 READ WRITE PRIMARY TO STANDBY
SHOW PDBs
-------------------------
PDB Name CON_ID OPEN_MODE RES
--------------- ------ ---------- ---
PDB$SEED 2 READ ONLY NO
CDB1PDB1 3 MOUNTED
CDB1PDB2 4 MOUNTED
Encryption Wallets
-------------------------
PDB Name Status WRL_TYPE WALLET_OR Wallet Type KEYSTORE WRL_PARAMETER
---------- -------------------- ---------- --------- ------------ -------- ----------------------------------------
CDB$ROOT NOT_AVAILABLE FILE SINGLE UNKNOWN NONE /opt/oracle/admin/CDB1P/wallet
CDB1PDB1 NOT_AVAILABLE FILE SINGLE UNKNOWN UNITED
CDB1PDB2 NOT_AVAILABLE FILE SINGLE UNKNOWN UNITED
PDB$SEED NOT_AVAILABLE FILE SINGLE UNKNOWN UNITED
Current Database master encryption key/s in use
-----------------------------------------------
Encrypted Tablespaces
-------------------------------
TDE Master keys in open wallets
-------------------------------
Services
-------------------------
cdb1pdb1
SYS$BACKGROUND
SYS$USERS
CDB1P.ncipher.com
CDB1XDB
cdb1pdb2
Datafiles
-------------------------
/opt/oracle/oradata/CDB1/system01.dbf
/opt/oracle/oradata/CDB1/sysaux01.dbf
/opt/oracle/oradata/CDB1/undotbs01.dbf
/opt/oracle/oradata/CDB1/pdbseed/system01.dbf
/opt/oracle/oradata/CDB1/pdbseed/sysaux01.dbf
/opt/oracle/oradata/CDB1/users01.dbf
/opt/oracle/oradata/CDB1/pdbseed/undotbs01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB1/system01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB1/sysaux01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB1/undotbs01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB1/users01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB2/system01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB2/sysaux01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB2/undotbs01.dbf
/opt/oracle/oradata/CDB1/CDB1PDB2/users01.dbf
Wallet files
-------------------------
WALLET_ROOT not set. No wallet files found
ASM disk group
-------------------------
ASM check
-------------------------
CDB1P is not using ASMsetup.sh
first entrust.conf
% sudo ./setup.sh first entrust.conf
Logging debug trace and output to: ./trace/setup.trc
First node configuration in Oracle RAC
Enter password for xxxxx.xxxxxx@entrust.com:
Downloading hicli API from xxx.xxx.xxx.xxx
.
.
.
Create Access Token
Successfully created access token
Saving access token in file /opt/oracle/entrust/oracle.conf
Set permission of access token so that user "oracle" can access it
Successfully set permissions
Create link to Entrust pkcs11 library in /opt/oracle/extapi/64/hsm/entrust
Successfully linked pkcs11 library
Setup completeother entrust.conf
% sudo ./setup.sh other entrust.conf
Logging debug trace and output to: ./trace/setup.trc
Other node configuration
Enter password for xxxxx.xxxxx@entrust.com:
Downloading hicli API from xxx.xxx.xxx.xxx
Successfully downloaded and extracted Entrust KeyControl API
.
.
.
Create Access Token
Successfully created access token
Saving access token in file /opt/oracle/entrust/oracle.conf
Set permission of access token so that user "oracle" can access it
Successfully set permissions
Create link to Entrust pkcs11 library in /opt/oracle/extapi/64/hsm/entrust
Successfully linked pkcs11 library
Setup complete