Importing to a new database#

If you are exporting a database that has already had encryption enabled (even if no fields have been encrypted), you must follow these steps after you have imported the dump file into the new database, that has not had encryption enabled.

1. Connect as the SYS user with SQL

2. Execute the SYS_UPGRADE script, which includes additional grants for the encryption routines.

3. On the database server, create key and backup key folders for the DB and copy the key files (from the source database) into them, use a binary transfer method so that bad characters do not get added to the end.

4. Connect as the P2K user with SQL

5. If you have passwords on the roles assigned to the P2K user (P2K_DBA, P2K_USER), you should clear the passwords at the database level first, with commands like

ALTER ROLE p2k_dba NOT IDENTIFIED;
5. Execute the DB_ENCRYPTION_MOVE.sql script supplying the full key and backup key paths when prompted. This script creates the proper directory entries and runs the Create Context script. Ensure the contexts were created correctly, the script tries to set roles again which may fail but the setting above will hold if it does.

6. In your DB session, force the read of the key from the key files:

BEGIN
  p2k_pmsec.getkeyfromdisk;
END;

7. If you get an error that SYS.DBMS_CRYPTO_FFI returned an error unexpectedly, it is most likely that the keyfiles are corrupt and were likely not transferred in a binary mode (especially important with Linux based database servers)

8. Test the encryption logic with a select statement, as below. Encrypted columns should still show as null, as they have not yet been encrypted.

SELECT
  rca.BIRTH_DATE,
  rca.RAW_BIRTH_DATE,
  p2k_pmsec.decrypt(rca.RAW_BIRTH_DATE) decryption
  FROM
  p2k_re_candidates rca
  where rownum < 30;

9. Execute the DB_RECOMPILE.sql script and rectify any compile errors.

10. Execute the DB_UMRS.sql script to set the users/roles at the DB properly. This will put any role passwords in step 5 back.

Importing to a database that previously had encryption#

If your target database previously had encryption enabled (even if no fields were encrypted), you must follow these steps after the dump file has been imported:

1. Copy the key files (from the source database) into them, use a binary transfer method so that bad characters do not get added to the end.


Notes#

Click to create a new notes page