Updated Oracle Key Vault LiveLab

database/advanced/intro/intro-key-vault.md

@@ -4,7 +4,7 @@
 ### Overview
 *Estimated Time to complete the workshop*: 55 minutes
 
-This workshop is the SECOND of two Hands-On Labs dedicated to encrypting data at rest within the Oracle Database. The first workshop, DB Security – ASO (Transparent Data Encryption & Data Redaction) covers transparent data encryption (TDE). This second workshop covers the important topic of managing encryption keys. Here, we will migrate an encrypted database to Oracle Key Vault for centralized key management.
+This workshop is the SECOND of two Hands-On Labs dedicated to encrypting data at rest within the Oracle Database. The first workshop, DB Security – ASO (Transparent Data Encryption & Data Redaction) covers transparent data encryption (TDE). This second workshop covers the important topic of managing encryption keys. Here, we will migrate an encrypted database to Oracle Key Vault for centralized key management and walk through a typical Key Vault deployment.
 
 Based on an OCI architecture, deployed in a few minutes with a simple internet connection, it allows you to test DB Security use cases in a complete environment already pre-configured by the Oracle Database Security Product Manager Team.
 
@@ -33,11 +33,11 @@ This Hands-On Labs give the user an opportunity to learn how to configure the DB
 
 In this mini-lab, you will learn how to use the **Oracle Key Vault** (OKV) features.
 
-The entire DB Security PMs Team wishes you an excellent workshop!
+The entire DB Security PMs team wishes you an excellent workshop!
 
 You may now [proceed to the next lab](#next).
 
 ## Acknowledgements
 - **Author** - Hakim Loumi, Database Security PM
-- **Contributors** - Peter Wahl, Rahil Mir
-- **Last Updated By/Date** - Hakim Loumi, Database Security PM - August 2024
+- **Contributors** - Peter Wahl, Rahil Mir, Shubham Goyal
+- **Last Updated By/Date** - Shubham Goyal, Database Security PM - October 2025

database/advanced/key-vault-new/key-vault-Lab10.md

@@ -0,0 +1,70 @@
+# Automate key rotation
+
+## Introduction
+Scripting of the key rotation operations can be made easier and safer by storing the keystore password in an external store.
+
+Estimated Lab Time: 5 minutes 
+
+### Objectives
+In this lab, you will add the keystore password to a local auto-login wallet and then use this wallet to perform a re-key operation without needing to enter the OKV password.
+
+### Prerequisites
+This lab assumes you have completed lab 9.
+
+## Task 1: Automate re-key
+
+1. Add the keystore password into a new local auto-open wallet in <WALLET_ROOT>/tde
+
+    ````
+    <copy>
+    sqlplus / as sysdba
+    ADMINISTER KEY MANAGEMENT ADD SECRET '<Key Vault endpoint password>' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/etc/ORACLE/WALLETS/cdb1/tde_seps';
+    exit;
+    </copy>
+    ````
+
+    ![Key Vault](./images/Screenshot_2025-10-03_16.19.30.png "Add the keystore password into a new local auto-open wallet in <WALLET_ROOT>/tde")
+
+2. Check the Master Encryption Key ID before a re-key
+
+    ```
+    <copy>
+    sqlplus / as sysdba
+    col "container" format a10
+    select b.name "CONTAINER", a.MASTERKEYID "MASTER ENCRYPTION KEY ID"
+      from v$database_key_info a join v$containers b on a.con_id = b.con_id
+      where b.name in ('CDB$ROOT');
+    exit;
+    </copy>
+    ```
+
+    ![Key Vault](./images/Screenshot_2025-10-07_23.41.30.png "Check the Master Encryption Key ID before a re-key")
+
+3. Execute a re-key operation without using the Key Vault password
+
+    ````
+    <copy>
+    sqlplus / as sysdba
+    ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE;
+    exit;
+    </copy>
+    ````
+
+    This command rotates the TDE master encryption keys for CDB$ROOT and PDB1.    
+
+    ![Key Vault](./images/Screenshot_2025-10-07_23.29.07.png "Execute a re-key operation without using the Key Vault password")
+
+4. Verify that the tablespace was re-keyed
+
+    ```
+    <copy>
+    sqlplus / as sysdba
+    col "container" format a10
+    select b.name "CONTAINER", a.MASTERKEYID "MASTER ENCRYPTION KEY ID"
+      from v$database_key_info a join v$containers b on a.con_id = b.con_id
+      where b.name in ('CDB$ROOT');
+    exit;
+    </copy>
+    ```
+
+    ![Key Vault](./images/Screenshot_2025-10-07_23.39.39.png "Verify that the tablespace was re-keyed")

database/advanced/key-vault-new/key-vault-Lab11.md

@@ -0,0 +1,97 @@
+# Bring your own key
+
+## Introduction
+You may want to bring an externally generated key, potentially with higher entropy, and manage it with Key Vault.
+
+Estimated Lab Time: 5 minutes
+
+### Objectives
+In this lab, you will upload an externally generated key to the Key Vault server, and activate it for the database.
+
+### Prerequisites
+This lab assumes you have completed lab 10.
+
+
+## Task 1: Generate a key external to Oracle Key Vault
+
+1.  Write your key to a file
+
+    In this example, we use openssl to generate TDE Master Encryption Key. You can use other means to generate this key.
+
+    ```
+    <copy>
+    openssl rand -hex 32 | tr '[:lower:]' '[:upper:]' > $DBSEC_LABS/okv/byok_aes256.txt
+    </copy>
+    ```
+
+
+## Task 2: Upload the key to Oracle Key Vault
+
+1.  Login to Key Vault as user **KVRESTADMIN**
+
+    Get the randonly generated password by executing this command
+
+    ```
+    <copy>
+    cat wui_passphrase
+    </copy>
+    ```
+
+    ![Key Vault](./images/Screenshot_2025-10-03_13.45.01.png "Login to Key Vault as the REST administrator")
+
+2. Click the **Keys & Wallets** tab and then click the **Keys & Secrets** tab
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.31.43.png "Click the Keys & Secrets tab")
+
+3. Click the **Create** button
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.37.46.png "Click the Create button")
+
+4. Click the **TDE Master Encryption Key** link
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.33.54.png "Click the TDE Master Encryption Key link")
+
+5. Click the **Bring Your Own Key** radio button and upload `byok_aes256.txt` file you had created above.
+
+    This will be located at `/home/oracle/DBSecLab/livelabs/okv/byok_aes256.txt`
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.38.50.png "Click the Bring Your Own Key radio button and upload byok_aes256.txt file you had created above")
+
+6. Click the **Select Wallet** button, choose the **LIVELABS\_DB\_WALLET** wallet from the pop-up, and click the **Close** button of the pop-up window
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.42.12.png "Click the Select Wallet button and choose the LIVELABS_DB_WALLET wallet")
+
+7. Copy the **Master Encryption Key Identifier** (at the top of this page)
+
+    ![Key Vault](./images/Screenshot_2025-10-03_14.44.02.png "Copy the Master Encryption Key Identifier")
+
+8. Click the **Create** button
+
+## Task 3: Activate the key in the database
+
+1. Activate the imported key (BYOK)
+
+    Note: The Master Encryption Key Identifier is the string you copied above in task 2 step 7
+    ````
+    <copy>
+    sqlplus / as sysdba
+    ADMINISTER KEY MANAGEMENT USE KEY '<Master Encryption Key Identifier>' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE;
+    exit;
+    </copy>
+    ````
+    ![Key Vault](./images/Screenshot_2025-10-08_12.10.54.png "Activate the imported key")
+
+2. Verify the key with the supplied master encryption key identifier was activated by the database
+
+    ```
+    <copy>
+    sqlplus / as sysdba
+    col "container" format a10
+    select b.name "CONTAINER", a.MASTERKEYID "MASTER ENCRYPTION KEY ID"
+      from v$database_key_info a join v$containers b on a.con_id = b.con_id
+      where b.name in ('CDB$ROOT');
+    exit;
+    </copy>
+    ```
+
+    ![Key Vault](./images/Screenshot_2025-10-08_12.12.47.png "Verify that the tablespace was re-keyed")