I was just thinking about long-term LTC myself. The documentation for backup/recovery of the keys makes my head hurt: http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9548 I am very confused why RMAN does not back up the wallet if the wallet is critical to the operation of the database. But in any event, in my dream I would store all my wallets in the default location ($ORACLE_BASE/admin/$ORACLE_SID/wallet/) and just backup the wallet at the default location whenever I do a database backup; if there is no wallet, no backup of wallet, no problem. Database cloning is an issue as well, as we typically do several a week. I have to read up, but my gut says we can use a copy of the wallet/master key. I might be totally wrong, but I will find out later today when I test it. :) By the way, Jeremy, I think some of your observations might be wrong or slightly incorrect. :) For instance, querying V$ENCRYPTION_WALLET does not seem to trigger an open of the wallet for me (11.2.0.4); it merely reports the status of the wallet, which is good. V$WALLET seems totally useless to me. On Thu, Mar 12, 2015 at 9:50 AM, David Mann <dmann99@xxxxxxxxx> wrote: > Thanks Jeremy for your insights and Charles for your questions. > > I'm moving forward with working TDE support into an 11gR2 project as well. > > Implementation and care and feeding of the wallets when creating, cloning, > etc has been going OK. I haven't found enough people that use it in order > to discuss long term handling of the wallets with. > > As we only have a handful of databases (<5% of enterprise) which will be > using TDE we can't justify the expense of Key Vault or other 3rd party > products. I want to protect the wallets at a local and remote site but my > challenge is getting the DB ops teams to make sure when they get a ticket > that they know they are operating on a TDE encrypted database and they > should backup the wallet at key times (after creation, before/after > password changes, etc). > > I had a dream about a shell script which would return TDE status of a > database and offer to make a backup of the wallet to a secure area. Without > Key Vault are folks just doing these steps manually or is there a good > basic level of automation I should be striving for? > > -Dave > > -- > Dave Mann > General Geekery | www.brainio.us > Database Geekery | www.ba6.us | @ba6dotus | http://www.ba6.us/rss.xml > -- Charles Schultz