1):
select * from v$encryption_wallet;

sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
      (SOURCE =
         (METHOD = FILE)
          (METHOD_DATA = (DIRECTORY = /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID})))

# chmod -R 700 /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}

-- or for windows
ENCRYPTION_WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = E:\oracle\%ORACLE_UNQNAME%)))

# If the wallet location is not defined in sqlnet.ora, then looking the following default location

$ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet
$ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet

-- Find your current wallet location using the following query
SELECT * FROM V$ENCRYPTION_WALLET;  

-- create and open wallet
-- 10g ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "mypassword";

-- 11g ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "mypassword";

# This will create a wallet file ewallet.p12 and will also add the TDE master key to it.
# if it doesn't already exist in the location specified in the local sqlnet.ora file 

notes 1: for security reason, you can change the permission on the wallet file
chmod 600 ewallet.p12

notes 2: Using the following command to change the wallet password
orapki wallet change_pwd -wallet

-- Find your current wallet location and status using the following query
SELECT * FROM V$ENCRYPTION_WALLET;  

-- create encrypted tablespace
CREATE TABLESPACE usersenc DATAFILE '/u01/app/oracle/oradata/orcl/orclusersenc01.dbf' SIZE 100M
   ENCRYPTION DEFAULT STORAGE (ENCRYPT);

-- or
create tablespace usersenc datafile '/u03/oracle/data/orcl/orclusersenc01.dbf' size 1M 
autoextend on next 1M encryption using 'AES128' default storage (encrypt);

-- verify encryption is on for this tablespace
select TABLESPACE_NAME,ENCRYPTED from dba_tablespaces where TABLESPACE_NAME = 'USERSENV';

-- list tablespace name which has encryption turned on
select TABLESPACE_NAME,ENCRYPTED from dba_tablespaces where ENCRYPTED = 'YES';

-- Test 1: for table data
create table test_users tablespace usersenc as select username from dba_users;
select * from test_users

-- when the wallet is not open
1): select status from v$encryption_wallet; ( Will show closed )

2): select * from test_users; ( will show error )

-- Test 2: TDE can also be used for rman backup
RMAN> connect target /
RMAN> set encryption on;
RMAN> backup [as compressed backupset] database;

-- Manually Close and/or Reopen the Wallet

# close the wallet
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "orcl_test1234";

# reopen
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "orcl_test1234";

# error when putting the wrong password
alter system set wallet open identified by "orcl_test_wrong_password";
--> ORA-28353: failed to open wallet

2):
-- Setup Autologin Wallet 

cd /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}"

orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -auto_login_local

# or put the password in command line
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword" -auto_login_local

-- It will create auto the cwallet.sso file, in addition to the existing ewallet.p12 file

3): reopen a wallet
-- 10g: ALTER SYSTEM SET ENCRYPTION WALLET OPEN AUTHENTICATED BY "myPassword";

-- 11g: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "mypassword";

-- close a wallet: ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;

4): view wallet
# normal time, should not use password: 
orapki wallet display -wallet /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}

orapki wallet display -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword"

5):
sudo chattr -i *wallet*               <== to unlock (mutable - able to change)
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword" -auto_login_local
sudo chattr +i *wallet*               <== to lock (immutable) - not changeable)

6):
lsattr *wallet*
sudo chattr -i *wallet*               <== to unlock (mutable - able to change)
sudo chown oracle:dba *wallet*
sudo chattr +i *wallet*               <== to lock (immutable) - not changeable)

7):
change wallet password: ( need XWindow)
owm

8):
SET LINESIZE 100
COLUMN owner FORMAT A15
COLUMN tble_name FORMAT A15
COLUMN column_name FORMAT A15

SELECT * FROM dba_encrypted_columns;

1): sqlnet.ora
mkdir -p /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore

ENCRYPTION_WALLET_LOCATION =
  (SOURCE =(METHOD = FILE)(METHOD_DATA =
    (DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)

2): in sqlplus
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/${ORACLE_SID}/encryption_keystore/' IDENTIFIED BY mypassword;

HOST ls -l /u01/app/oracle/admin/${ORACLE_SID}/encryption_keystore/

3):
-- Open
-- non-cdb ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY mypassword;
-- cdb     ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY mypassword CONTAINER=ALL;

-- Close
-- non-cdb ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY mypassword;
-- cdb     ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY mypassword CONTAINER=ALL;

-- create
-- non-cdb ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY mypassword WITH BACKUP;
-- cdb     ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY mypassword WITH BACKUP CONTAINER=ALL;

set linesize 200 trimspool on
SELECT con_id, key_id FROM v$encryption_keys;

set linesize 200 trimspool on
column wrl_parameter FORMAT A50
SELECT * FROM v$encryption_wallet;

4): export key
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "mysecretexportpassword" TO '/tmp/export.p12' IDENTIFIED BY mytdepassword;

5): import key
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "mypassword";
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "mysecretexportpassword" FROM '/tmp/export.p12' IDENTIFIED BY "mypassword" WITH BACKUP;

6): autologin key
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/admin/$ORACLE_HOME/encryption_keystore/' IDENTIFIED BY mypassword;