Tuesday, 13 January 2026

 Oracle 19c: Wallet Issue When Adding Datafile in Newly Created PDB (ORA-28374)

Overview:

While creating a new Pluggable Database (PDB) in Oracle 19c and attempting to add a datafile/tempfile, DBAs may encounter the error:

ORA-28374: typed master key not found in wallet

This blog explains:

Why this error occurs

How to diagnose it

The correct fix using Oracle Key Management commands

Environment Details

Oracle Version: 19c (19.28)

Edition: Standard Edition 2

Storage: ASM (+DATA)

Security: TDE enabled with auto-login wallet

sqlplus / as sysdba

Check existing PDBs:

SQL> SHOW PDBS;

CON_ID  CON_NAME     OPEN MODE

------  -----------  ----------

2       PDB$SEED     READ ONLY

3       PREPROD      READ WRITE

Step 1: Create a New PDB

SQL> CREATE PLUGGABLE DATABASE UAT ADMIN USER Admin IDENTIFIED BY DEV2012Sugu#Q;

Open the PDB:

SQL> ALTER PLUGGABLE DATABASE UAT OPEN READ WRITE;

SQL> ALTER SESSION SET CONTAINER = UAT;

Step 2: Error While Adding Tempfile

❌ Error:

ORA-28374: typed master key not found in wallet

Step 3: Diagnose Wallet Status

SQL> SELECT * FROM v$encryption_wallet;

Output:


STATUS               : OPEN_NO_MASTER_KEY

WALLET_TYPE          : AUTOLOGIN

CON_ID               : 5  (UAT PDB)

Key Observation

Wallet is open

Master Encryption Key is missing

This is common for newly created PDBs

Root Cause

When a new PDB is created:

The wallet opens automatically

❌ But no TDE master key is generated for the PDB

Any encrypted operation (tablespace, tempfile, datafile) fails

Step 4: 

 Create a TDE Master Key for the PDB Create Encryption Key 

SQL> ADMINISTER KEY MANAGEMENT CREATE ENCRYPTION KEY USING TAG 'UAT_rekey' FORCE KEYSTORE IDENTIFIED BY "DEV2012Sugu#Q" WITH BACKUP USING 'UAT_rekey';

Check key creation:

SQL> SELECT key_id FROM v$encryption_keys WHERE tag = 'UAT_rekey';

Step 5: Activate the Encryption Key

SQL> ADMINISTER KEY MANAGEMENT USE ENCRYPTION KEY 'Ad+0E2RijU+iv9Xur6AYQWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' FORCE KEYSTORE IDENTIFIED BY "DEV2012Sugu#Q" WITH BACKUP;

💡 This step associates the key with the PDB

Step 6: Verify Wallet Again

SQL> SELECT * FROM v$encryption_wallet;


Even if it still shows OPEN_NO_MASTER_KEY, Oracle internally now has a usable key for the PDB.

Step 7: Retry Tablespace Creation (Success)

SQL> CREATE TABLESPACE DEV DATAFILE '+DATA' SIZE 1G AUTOEXTEND ON NEXT 128M MAXSIZE 30G;

✅ Tablespace created successfully

Key Takeaways

Why ORA-28374 Happens

New PDB has no TDE master key

Wallet is open but key is missing

Mandatory Fix for New PDBs

Always create and activate a master encryption key after PDB creation

Best Practice Checklist (DBA)

✔ After creating a PDB

✔ Check v$encryption_wallet

✔ Create a PDB-level encryption key

✔ Activate the key

✔ Then add datafiles / tempfiles

Conclusion :

ORA-28374 is not a bug, but a TDE lifecycle requirement in multitenant Oracle databases.

Proper key management ensures smooth PDB operations and prevents encryption-related failures.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

  EBS ADOP Woes: Tackling ORA-20001 in Cleanup Phase   This blog aims to support DBAs who encounter issues during the EBS application R12.2 ...

  • (no title)
      EBS ADOP Woes: Tackling ORA-20001 in Cleanup Phase   This blog aims to support DBAs who encounter issues during the EBS application R12.2 ...
  • (no title)
        Ebs database Custom table columns missing while running a full mode cleanup The purpose of this blog is to assist DBAs encountering ebs ...
  • (no title)
      Oracle Base vs Oracle Home: Understanding the Core Difference When working with Oracle databases, two directory concepts often confuse be...