Oracle stores a Master Encryption Key in a keystore, which is used to Encrypt the Data Encryption Key which is stored in the database controlfile and datafile headers. The Data Encryption Key encrypts the data.
The location of the Keystore when on disk can be in several locations, but the database parameter WALLET_ROOT is preferred.
To enable TDE which can’t be disabled afterwards we can follow the life cycle below. Note that Pluggable database can have their own key (Isolated Mode) or use the Container database key (Unified Mode).
Warning never lose your Keystore it should be protected and backed up at all times, failure to do so could render your database unusable.