How to Recover a Forgotten Oracle Database TDE (Transparent Data Encryption) Wallet Password

W3Buddy
W3Buddy
May 13, 2026 · 6 min read · 0
Share:
Google Add W3Buddy as a preferred source on Google
WhatsApp Follow W3Buddy on WhatsApp Channel
Article Summary

Lost your Oracle TDE wallet password? Follow this step-by-step DBA guide to recover and reset your TDE keystore without losing encrypted data.

Losing access to your Oracle TDE wallet password can feel like a database disaster — but it doesn’t have to be the end of the road. In this step-by-step guide, we’ll walk you through how to recover or reset a forgotten Oracle Transparent Data Encryption (TDE) wallet password without losing your encrypted data.

What Is Oracle TDE and Why Does the Wallet Password Matter?

Oracle Transparent Data Encryption (TDE) encrypts sensitive data at rest — including tablespaces and individual columns — to protect against unauthorized access at the OS or storage layer. The TDE wallet stores the master encryption key, and access to it is protected by a wallet password.

If that password is lost, the database cannot open the wallet, which means encrypted data becomes inaccessible. That’s why having a proper recovery procedure is critical for every DBA.

Key TDE Wallet Files

FilePurpose
ewallet.p12Password-protected wallet/keystore file used by Oracle TDE
cwallet.ssoAuto-login wallet file used by Oracle TDE

Important: Always know the location of your wallet directory. You can find it in sqlnet.ora or by querying v$encryption_wallet.

Prerequisites Before You Begin

  • OS-level access to the database server
  • SYSDBA privileges in SQL*Plus
  • Oracle tools mkstore and orapki available in $ORACLE_HOME/bin
  • Database must be running and accessible

Step-by-Step: Recover/Reset TDE Wallet Password

Step 1: Take a Backup of Current DB Wallet Files

bash

cd <DB-TDE-WALLET-LOCATION>
cp ewallet.p12 ewallet.p12.bkp
cp cwallet.sso cwallet.sso.bkp

Output:

[oracle@dbserver tde-wallet]$ ls -lh

-rw------- 1 oracle oinstall 5.3K May 10 08:12 cwallet.sso
-rw------- 1 oracle oinstall 5.3K May 10 08:12 cwallet.sso.bkp
-rw------- 1 oracle oinstall 4.8K May 10 08:12 ewallet.p12
-rw------- 1 oracle oinstall 4.8K May 10 08:12 ewallet.p12.bkp

Best Practice: Store backups in a separate secure location, not on the same server.

Step 2: Connect to the Database and Create a New TDE Wallet/Keystore

sqlplus / as sysdba
SQL> administer key management create keystore '/u01/tde-test'
     identified by "<NEW-WALLET-PASSWORD>";

Output:

keystore altered.

Verify the new keystore file exists:

[oracle@dbserver ~]$ ls -lh /u01/tde-test/

-rw------- 1 oracle oinstall 2.1K May 10 08:15 ewallet.p12

Step 3: Merge Existing Keys into the New Wallet

SQL> administer key management merge keystore '<CURRENT_TDE_WALLET_LOCATION>'
     into existing keystore '/u01/tde-test'
     identified by "<NEW-WALLET-PASSWORD>" with backup;

Output:

keystore altered.

Verify the backup file was auto-created in the source wallet directory:

[oracle@dbserver tde-wallet]$ ls -lh /u01/tde-wallet/

-rw------- 1 oracle oinstall 4.8K May 10 08:20 ewallet.p12
-rw------- 1 oracle oinstall 4.8K May 10 08:20 ewallet_2024051008200.p12.bkp

Warning: Do NOT skip the with backup clause. It ensures Oracle takes an automatic backup before merging.

Step 4: Validate Using orapki and mkstore

mkstore -wrl /u01/tde-test -list
orapki wallet display -wallet /u01/tde-test

Output from mkstore -list:

Oracle Secret Store Tool Release 19.0.0.0.0

Enter wallet password:

Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.Ab3Xk9mNpQr2sT4uVwYz1AA

Output from orapki wallet display:

Oracle PKI Tool Release 19.0.0.0.0

Requested Certificates:
User Certificates:
Oracle Secret Store entries:
  ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
  ORACLE.SECURITY.DB.ENCRYPTION.Ab3Xk9mNpQr2sT4uVwYz1AA

If master keys are missing from either output, do not proceed — re-check the merge step.

Step 5: Replace Wallet Files and Reopen with New Password

Retire the old auto-login wallet:

cd <DB-TDE-WALLET-LOCATION>
mv cwallet.sso cwallet.sso_old

Close the keystore from inside the database:

sqlplus / as sysdba
SQL> administer key management set keystore close container=all;
SQL> select INST_ID, WRL_TYPE, STATUS, WALLET_TYPE
     from gv$encryption_wallet;

Output:

keystore altered.

INST_ID  WRL_TYPE  STATUS   WALLET_TYPE
-------  --------  -------  -----------
      1  FILE      CLOSED   UNKNOWN

Replace the wallet file:

cd <DB-TDE-WALLET-LOCATION>
mv ewallet.p12 ewallet.p12_old
cp /u01/tde-test/ewallet.p12 <DB-TDE-WALLET-LOCATION>

Open the keystore with the new password:

SQL> administer key management set keystore open
     identified by "<NEW-WALLET-PASSWORD>" container=all;
SQL> select INST_ID, WRL_TYPE, STATUS, WALLET_TYPE
     from gv$encryption_wallet;

Output:

keystore altered.

INST_ID  WRL_TYPE  STATUS  WALLET_TYPE
-------  --------  ------  -----------
      1  FILE      OPEN    PASSWORD

Step 6: Create a New Auto-Login Wallet

SQL> administer key management create AUTO_LOGIN keystore
     from keystore '<DB-TDE-WALLET-LOCATION>'
     identified by "<NEW-WALLET-PASSWORD>";

Output:

keystore altered.

Close the keystore to let the auto-login SSO take over:

SQL> administer key management set keystore close
     identified by "<NEW-WALLET-PASSWORD>" container=all;

Output:

keystore altered.

Final verification — auto-login must be active:

SQL> select INST_ID, WRL_TYPE, STATUS, WALLET_TYPE
     from gv$encryption_wallet;

Output:

INST_ID  WRL_TYPE  STATUS  WALLET_TYPE
-------  --------  ------  -----------
      1  FILE      OPEN    AUTOLOGIN

WALLET_TYPE = AUTOLOGIN confirms the new auto-login wallet is working correctly. The recovery is complete.

Post-Recovery Checklist

  • v$encryption_wallet shows STATUS = OPEN and WALLET_TYPE = AUTOLOGIN
  • Restart the database and confirm wallet opens automatically without a password prompt
  • Test access to encrypted tablespaces or columns
  • Delete old .bkp and _old files once everything is confirmed stable
  • Save the new wallet password in your organization’s secrets vault (CyberArk, HashiCorp Vault, etc.)

Pro Tips from the Field

  • Never store the TDE wallet password only in your head. Use an enterprise password manager or secrets vault.
  • Automate wallet backups as part of your RMAN backup strategy.
  • In Oracle 19c+, consider Oracle Key Vault (OKV) for centralized key management — it eliminates the risk of lost wallet passwords entirely.
  • RAC environments: Synchronize the new wallet and SSO files across all nodes after replacing.
  • Multitenant (CDB/PDB): Always use container=all to apply changes across all PDBs.

Conclusion

Recovering a forgotten Oracle TDE wallet password is fully achievable without data loss — as long as the original encrypted data is still accessible and you follow the merge approach carefully. The key is methodical execution: backup first, merge keys, validate, then switch over.

If your wallet is already in a CLOSED or NOT_AVAILABLE state before you begin, engage Oracle Support immediately, as the recovery path becomes significantly more complex.

Have questions or run into an issue at a specific step? Drop a comment below — our DBA community is here to help.

Was this helpful?
Tags: DatabaseSecurity OracleAdmin OracleDatabase OracleDBA TDE

Written by

W3buddy
W3buddy

Explore W3Buddy for in-depth guides, breaking tech news, and expert analysis on AI, cybersecurity, databases, web development, and emerging technologies.

You might also like

Change PDB DBID in Oracle

How to Change PDB DBID in Oracle Using the Clone Method
resync standby database

Resync Oracle Standby DB Without a Full Rebuild
Oracle Recycle Bin

Oracle Recycle Bin: The Complete DBA Guide