When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB. This allows a cloned PDB to operate on the encrypted data. To perform the clone, you do not need to export and import the keys because Oracle Database transports the keys for you even if the cloned PDB is in a remote CDB. However, you will need to provide the keystore password of the CDB where you are creating the clone.This statement is not fully true if the source PDB does not have its own master key.
When cloning a PDB within the same CDB, the master key of the source is used for the target. If, after the clone operation is complete a rekey (generate new master key) is not done on the target PDB, the target PDB will continue to use the master key that belongs to the original (source) PDB. Now, if you perform a clone of the new (previously cloned) PDB to a remote CDB, there is a good chance the clone operation will fail with "ORA-00283: recovery session canceled due to errors". This is expected behavior.
The error message: [code lang="sql"] SQL> create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******"; create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******" * ERROR at line 1: ORA-00283: recovery session canceled due to errors ORA-28374: typed master key not found in wallet [/code] When the newly cloned PDB does not have its own master keys, there are no records in V$ENCRYPTION_KEYS dynamic performance view.
Performing a rekey operation of the master encryption key ensures that the newly cloned PDB uses its own unique keys, which will be visible in the V$ENCRYPTION_KEYS view. As I see it, there are three scenarios:
In the Oracle documentation in the "Cloning a PDB with Encrypted Data in a CDB in United Mode" steps, it is noted to perform a rekey of the master key for a cloned PDB. But there is no warning note about cloning a PDB to remote CDB when the source PDB does not have its own master key.
Ready to optimize your Oracle Database for the future?