Oracle Key Vault is a central, secure key, management platform. It centrally manages encryption keys such as Oracle wallets, Java keystores, and credential files, and is optimized for Oracle Advanced Security Transparent Data Encryption (TDE) master keys. In other words, Oracle Key Vault is a turnkey solution that is based on a hardened stack. It is easy to install, configure, deploy, and patch.
Oracle Key Vault includes separation of duties for administrative users, full auditing, preconfigured reports, and alerts. The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability, and scalability. Oracle Key Vault (OKV) is a software appliance, which is delivered as a bootable disk image that contains a Linux installer that must be installed on its own dedicated server. It consists of a pre-configured operating system, an Oracle database, and the Oracle Key Vault application [built by using Oracle Application Express (APEX)].
Why is Oracle Key Vault an important product?
Security threats and increased regulation of personally identifiable information, payment card data, healthcare records, and other sensitive information have expanded the use of encryption in a data center. As a result, management of encryption keys, certificates, wallets, and other secrets has become a vital part of the data center, impacting both security and business continuity.
Oracle Key Vault is a central, secure, key management product that addresses the managerial and regulatory challenges as listed below. It facilitates deployment of encryption across the enterprise.
Managerial challenges:
- Proliferation of encryption wallets and keys
- Authorized sharing of keys
- Key availability, retention, and recovery
- Custody of keys and key storage files
Regulatory challenges:
- Physical separation of keys from encrypted data
- Periodic key rotations
- Monitoring and auditing of keys
- Long-term retention of keys and encrypted data
Centralized Management of Security Objects
Oracle Key Vault enables customers to quickly deploy encryption and other security solutions by centrally managing encryption keys, Oracle Wallets, Java keystores, and credential files.
The centralized Oracle Key Vault platform enables you to achieve the following:
- Manage the key life cycle, including creation, rotation, and removal, for all endpoints. This includes the ability to share access to security objects among multiple endpoints. Endpoints can be databases, middleware, and other data sources that contain the keys that you want to manage with Oracle Key Vault.
- Prevent the loss of keys and wallets due to forgotten passwords or accidentally deleted wallets and keystores.
- Log in to the graphical management console (which is an APEX application) to perform your tasks.
Oracle Key Vault Environment
Oracle Key Vault works with the following elements:
- Transparent Data Encryption (TDE) refers to Oracle databases that have tables and tablespaces configured to use TDE.
- Other keystore files can be Java JCEKS keystores that you upload to Oracle Key Vault from endpoints or download from Oracle Key Vault to endpoints.
- Management console refers to the Oracle Key Vault graphical user interface, which you log in to, to manage the objects that you upload to Oracle Key Vault.
- Appliance backup refers to a backup device for Oracle Key Vault data, which you configure for a high availability environment.
- Oracle Wallets and Java keystores refer to the wallets and keystores that you upload to Oracle Key Vault and download to endpoints.
High Availability for Oracle Key Vault
Oracle recommends that you configure high availability to ensure continued access to your security objects if Oracle Key Vault fails. Configuring HA involves connecting to the primary appliance and providing it with the IP address and certificate of the standby, and then doing the same thing for the primary in the standby appliance. If you plan to configure high availability, you must do so before you begin to create endpoints. An endpoint knows about the standby appliance only if the standby was configured before the endpoint was enrolled. The primary appliance is the one that services requests from endpoints. The standby appliance takes over as the primary if the primary fails for any reason. You can switch primary and standby nodes and even unconfigure high availability.
What Are Endpoints?
Endpoints are the database servers, application servers, and computer systems where actual cryptographic operations, such as encryption or decryption, are performed. Endpoints request Oracle Key Vault to store and retrieve security objects. It is easy to enroll and provision endpoints, that is, to configure the connections between Oracle Key Vault and endpoints. Endpoint provisioning uses a single package that contains all the necessary software binaries and configuration files, as well as the endpoint certificates, needed for mutually authenticated connections with Oracle Key Vault. OASIS Key Management Interoperability Protocol (KMIP) standardizes the key management operations between the key management servers and the endpoints that are provided by different vendors. You can group endpoints for ease of management. For example, if the nodes of an Oracle RAC cluster are set up in an endpoint group, they can share wallets and wallet contents.
What Is a Virtual Wallet?
Oracle Key Vault allows grouping of keys and other security objects to form a virtual wallet. These security objects are typically public and private keys, TDE master encryption keys, passwords, credentials, certificates, and so on. The main purpose of a virtual wallet is to allow access to security objects by endpoints other than the endpoint that created the objects. Key administrators create virtual wallets. After creation, you can assign or remove access from an endpoint or endpoint group to a virtual wallet. For ease of management and sharing, you can provide access for a group of server endpoints to a virtual wallet.