Check your TDE_CONFIGURATION and sqlnet.ora settings. If you are using WALLET_ROOT in Oracle 19c or later, the database needs to know it should look for both HSM and FILE-based keys .
Note: You generally need a directory path as a fallback location for the software wallet file during the transition period.
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO 'export_file.dmp' IDENTIFIED BY "password"; ora-28414 specified keys are in hsm
You must manage HSM keys or specific Oracle commands that allow HSM interaction:
Oracle Database provides robust encryption capabilities to protect sensitive data at rest and in transit. One of the most secure methods for managing encryption keys is using a . However, when working with HSM-stored keys, database administrators often encounter a specific and sometimes confusing error: Check your TDE_CONFIGURATION and sqlnet
The ORA-28414 error is a safeguard mechanism. It usually happens when there is an attempt to merge, back up, or manipulate keys using syntax meant for software keystores, while the database configuration is currently pointing toward an HSM, or the keys being referenced are flagged as HSM-protected.
| Error | Meaning | |-------|---------| | ORA-28353 | Key not found in wallet/HSM | | ORA-28413 | Specified keys are in software keystore | | | Specified keys are in HSM | | ORA-28415 | HSM operation failed | ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET
If a migration from a software wallet to an HSM was previously attempted and failed halfway, some keys might have been successfully copied to the HSM. Retrying the same command may trigger ORA-28414.
To resolve this, you must align the database's configuration with the physical location of the keys.