Jimmy’s Oracle Lab – Oracle DBA Insights & Best Practices

Learn Oracle the Real Way — From Experience, Not Just Docs

ORA-28374 : typed master key not found in wallet

Problem Statement

TDE (Transparent Data Encryption) wallet creation and tablespace encryption were planned for a production database. However, during the wallet configuration process, the team encountered the following error: ORA-28374: typed master key not found in wallet

Diagnosis

The investigation began with checking the wallet status both at the OS and database levels :

SQL> select * from v$ENCRYPTION_WALLET;

WRL_TYPE  WRL_PARAMETER               STATUS     WALLET_TYPE   WALLET_OR KEYSTORE
--------- --------------------------- ---------- ------------- --------- --------
FILE      /u01/app/ORCL/wallet/tde/   OPEN       PASSWORD      SINGLE    NONE  

SQL> !ls -lrth /ORACLE/app/SPPREDB/wallet/tde/
-rw------- 1 oracle oinstall  11K Jun 10 16:38 ewallet.p12
-rw------- 1 oracle oinstall  11K Jun 10 16:40 cwallet.sso

The wallet was confirmed to be properly created, in an open state, and accessible from both RAC nodes. To rule out runtime issues, the database instances were restarted one by one:

SQL> shut immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>
SQL> startup;
ORACLE instance started.

Total System Global Area 2.1475E+10 bytes
Fixed Size                 23149944 bytes
Variable Size            2751463424 bytes
Database Buffers         1.8656E+10 bytes
Redo Buffers               43958272 bytes
Database mounted.
Database opened.

SQL> select * from v$ENCRYPTION_WALLET;

WRL_TYPE  WRL_PARAMETER               STATUS     WALLET_TYPE   WALLET_OR KEYSTORE
--------- --------------------------- ---------- ------------- --------- --------
FILE      /u01/app/ORCL/wallet/tde/   OPEN       AUTOLOGIN     SINGLE    NONE

The wallet type changed from PASSWORD to AUTOLOGIN, as the team had created an autologin wallet before the restart. Despite the wallet being open, the SET KEY command continued to throw ORA-28374. The alert log revealed more detail:

KZTDE: Attempting TDE operation in PDB#=0: ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY * WITH BACKUP USING 'TDE'
KZTDE: Set Master Key: New MKID: Ab0UgeUKHk/vvzws1jfUAbYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
KZTDE:kztsmptc: Missing Key ID: AbU9zMN2M08dVskns8nsnoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
KZTDE:kztsmptc: keystore_type: 6, wallet_type: 1,wallet location: file:/u01/app/ORCL/wallet/tde/

This indicated that while a new master key was being set, an expected key ID was missing.

Database-level queries provided further insight:

SQL> select key_id,creation_time from v$encryption_keys;

KEY_ID					                CREATION_TIME
------------------------------------------------------  -----------------------------------
Ab0UgeUKHk/vvzws1jfUAbYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.   10-JUN-25 11.08.02.975978 AM +00:00

SQL> select  name,utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(mkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(mkeyid,5,length(mkeyid)))) masterkeyid_base64  FROM (select t.name, RAWTOHEX(x.mkid) mkeyid from v$tablespace t, x$kcbtek x where t.ts#=x.ts#)

NAME                                     MASTERKEYID_BASE64
---------------------------------------- ------------------------------------------------------------
SYSTEM                                   AbU9zMN2M08dVskns8n0=
SYSAUX                                   AbU9zMN2M08dVskns8n0=
UNDOTBS1                                 AbU9zMN2M08dVskns8n0=
UNDOTBS2                                 AbU9zMN2M08dVskns8n0=
USERS                                    AQAAAAAAAAAAAAAAAAAA=
DATA1                                    AQAAAAAAAAAAAAAAAAAA=
INDEX1                                   AQAAAAAAAAAAAAAAAAAA=
DATA2                                    AQAAAAAAAAAAAAAAAAAA=
INDEX2                                   AQAAAAAAAAAAAAAAAAAA=

All default tablespaces (e.g., SYSTEM, SYSAUX, UNDOTBS1) were using a different key ID (AbU9zMN2M08dVskns8n0=) than the one present in the wallet (Ab0UgeUK...). This mismatch was the root cause of the error.

[oracle@ORCLHOST ~]$ orapki wallet display -wallet /u01/app/ORCL/wallet/tde/
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.Ab0UgeUKHk/vvzws1jfUAbYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
Trusted Certificates:

As shown above, the required key is not present in the current wallet, which explains the occurrence of the ORA-28374 error. This raised the question: how could the key be missing if we had just created a new wallet? We consulted with the customer to check whether a wallet had ever been created for this database, but they confirmed this was their first attempt. Given the nature of the error and the symptoms observed, it strongly suggested that either a key or a previous wallet was missing. To investigate further, we decided to verify within the database whether there was any indication of a previously created wallet. After reviewing Oracle documentation, we found a query that helps determine if an older wallet had ever existed.

SQL> select mkloc from x$kcbdbk;

MKLOC
----------
1

The value mkloc = 1 confirmed that a wallet had been created in the past, but it is now missing. Since the customer had only created the wallet and had not performed any tablespace or table-level encryption, the database did not raise any errors until now. We advised the customer to review historical records to check if any old wallet backups existed. After exploring available options, they located a very old wallet—approximately two years old. We decided to test whether this wallet contained the missing key. The wallet was copied to the server and examined using the orapki command.

[oracle@ORCLHOST ~]$ orapki wallet display -wallet /tmp/tde/
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AbU9zMN2M08dVskns8nsnoYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
Trusted Certificates:

Great ! we found the key.

Solution

We identified the missing key that the wallet was expecting. By merging the old wallet (copied to a temporary location) with the current wallet, the issue was resolved. Following the merge, the SET KEY command and tablespace encryption operations executed successfully.

[oracle@ORCLHOST ~]$ orapki wallet merge -wallet /tmp/tdet -walletdir /u01/app/ORCL/wallet/tde -pwd Password

[oracle@ORCLHOST ~]$ orapki wallet display -wallet /u01/app/ORCL/wallet/tde
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.Ab0UgeUKHk/vvzws1jfUAbYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AbU9zMN2M08dVskns8nsnoYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
Trusted Certificates:
Closing Remarks

This incident highlights that once a TDE wallet is created—even if encryption is not immediately performed—the original wallet must be retained. Removing or replacing the wallet without preserving the associated keys can lead to ORA-28374 and prevent further encryption operations.

Maintaining proper backup and version control of TDE wallets is essential for long-term database encryption support.