In a CDB: We have a single Keystore (Wallet) owned by the ROOT container (CDB$ROOT) and a separate Master Encryption Key for each of the associated pluggable databases as well as a Master encryption Key for the ROOT (CDB$ROOT) container. 

In a Non-CDB: We have a Keystore (Wallet) and Master Encryption Key for the Non-CDB database.

--in SQLNET.ORA, add
ENCRYPTION_WALLET_LOCATION= (SOURCE=
 (METHOD = FILE)
 (METHOD_DATA =
 (DIRECTORY=/u01/oracle/product/12.1.0/dbhome_1/admin/O12C1Cloud/wallet)
 ))

--CDB$ROOT
alter session set container=CDB$ROOT;
--create keystore, save wallet does the same saving ewallet.p12 into wallet location
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/oracle/product/12.1.0/dbhome_1/admin/O12C1Cloud/wallet' IDENTIFIED BY xxxxxxxxxxxx;

--CDB$ROOT
select * from v$encryption_wallet;
--open key store
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY xxxxxxxxxxxx;
--CDB$ROOT
select * from v$encryption_wallet; --OPEN_NO_MASTER_KEY 

--cretae auto login
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/oracle/product/12.1.0/dbhome_1/admin/O12C1Cloud/wallet' IDENTIFIED BY xxxxxxxxxxxx;
shut immediate;
startup;
select * from v$encryption_wallet; -- still OPEN_NO_MASTER_KEY
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY xxxxxxxxxxxx;
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY xxxxxxxxxxxx;

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP;
ORA-28362: master key not found
select CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from v$encryption_keys;
no rows

--open key store
administer key management set keystore open identified by xxxxxxxxxxxx;
--OPEN_NO_MASTER_KEY 
--ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tde_mskey' IDENTIFIED BY "xxxxxxxxxxxx" WITH BACKUP USING 'tde_mskey_backup';
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING 'initial_backup';

-- set master key
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING 'initial_backup' CONTAINER = all;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING 'initial_backup' CONTAINER = current;
--OPEN on CDB$ROOT now

--O12C1P2 PDB, wallet not auto matic login yet
> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY xxxxxxxxxxxx;
> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP;


ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY xxxxxxxxxxxx;

----ORA-28374: typed master key not found in wallet 
---- due to a bug, http://www.oraclenext.com/2017/02/ora-28354-encryption-wallet-auto-login.html
TDE Wallet Problem in 12c: Cannot do a Set Key operation when an auto-login wallet is present (Doc ID 1944507.1)

---- workaround here
Remove the auto-open wallet cwallet.sso physically:
--optional---->alter system set wallet close;
shut immediate;
startup;
--ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY xxxxxxxxxxxx;
administer key management set keystore open identified by xxxxxxxxxxxx container = ALL;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING '5th_backup' CONTAINER = all;
administer key management create AUTO_LOGIN keystore from keystore '/oracle/app/oracle/product/12.2.0/dbhome_1/owm/wallets/oracle' identified by xxxxxxxxxxxx;
shut immediate;
startup;
select * from v$encryption_wallet;
----should show autologin now
ORA-19511: non RMAN, but media manager or vendor specific failure, error text:
   KBHS-01013: specified OPC_WALLET alias alias_opc not found in wallet
----Cloud backup, remember to reinstate OPC_WALLET alias alias_opc as below
$>java -jar opc_install.jar -serviceName Storage -identityDomain xxxxxxxxxxxx -opcId jason.wong@xxxxxxxxxxxx.com -opcPass xxxxxxxxxxxx -libDir /oracle/app/oracle/product/12.2.0/dbhome_1/lib -walletDir /oracle/app/oracle/product/12.2.0/dbhome_1/owm/wallets/oracle -container xxxxCloudBackup

--administer key management set keystore open identified by xxxxxxxxxxxx;
--administer key management set key identified by xxxxxxxxxxxx with backup;

administer key management set keystore open identified by xxxxxxxxxxxx container=all;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING '4th_backup' CONTAINER = all;
--SQL> select * from v$encryption_wallet;
--when status closed
administer key management create AUTO_LOGIN keystore from keystore '/u01/oracle/product/12.1.0/dbhome_1/admin/O12C1Cloud/wallet' identified by xxxxxxxxxxxx;
shut immediate;
startup;

----ORA-28374: typed master key not found in wallet ----
ADMINISTER KEY MANAGEMENT SET KEY [USING TAG 'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = ALL | CURRENT];
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx CONTAINER = ALL;
--ORA-46631: keystore needs to be backed up
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY xxxxxxxxxxxx WITH BACKUP USING 'initial_backup' CONTAINER = current;

ORA-28374: typed master key not found in wallet
ALTER SYSTEM SET "_db_discard_lost_masterkey"=TRUE SCOPE=MEMORY;
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY xxxxxxxxxxxx;
--open, set key
--do the same for PDBs
ALTER SYSTEM SET "_db_discard_lost_masterkey"=TRUE;
--CLOSE, OPEN, set key
 
--change password
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY old_password SET new_password WITH BACKUP USING 'pwd_change';

--backup keystore
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'BUG12966094' IDENTIFIED BY keystore_password;
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'hr.emp_keystore' IDENTIFIED BY password TO '/etc/ORACLE/KEYSTORE/DB1/';
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '+DATAFILE' IDENTIFIED BY "srcPassword" INTO EXISTING KEYSTORE '/etc/ORACLE/KEYSTORE/DB1/' IDENTIFIED BY "targetKeystorePassword" WITH BACKUP USING "bkup";

select * from V$ENCRYPTION_KEYS;
ADMINISTER KEY MANAGEMENT USE KEY 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' USING TAG 'quarter:second;description:Activate Key on standby' IDENTIFIED BY password WITH BACKUP;

To find the master key in use in a non-CDB:
>SELECT KEY_ID 
FROM V$ENCRYPTION_KEYS 
WHERE ACTIVATION_TIME = (SELECT MAX(ACTIVATION_TIME) 
                         FROM V$ENCRYPTION_KEYS
                         WHERE ACTIVATING_DBID = (SELECT DBID FROM V$DATABASE));
To find the master key in use in a CDB:
>SELECT KEY_ID 
FROM V$ENCRYPTION_KEYS 
WHERE ACTIVATION_TIME = (SELECT MAX(ACTIVATION_TIME) 
                       FROM V$ENCRYPTION_KEYS
                       WHERE ACTIVATING_PDBID = SYS_CONTEXT('USERENV', 'CON_ID'));
					   
ORA-28353: failed to open wallet					   
>alter system set encryption key identified by "xxxxxxxx";
>ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "xxxxxxxx";
 
cd $ORACLE_HOME/network/admin
vi sqlnet.ora
automatic_ipc = ON               # Set to OFF for PC's
trace_level_client = OFF         # Set to 16 if tracing is required
sqlnet.expire_time = 0           # Idle time in minutes
sqlnet.authentication_services = (ALL)
names.directory_lookup = (TNSNAMES,ONAMES)
names.default_domain=sdc.diamond.net
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/data/oracle/admin/prod9/wallet)) )



