Introduction

This guide describes the integration of the Entrust Cryptographic Security Platform Key Management Vault with an Oracle database using Oracle Data Guard. Oracle Data Guard offers a collection of services that create, maintain, manage, and monitor one or more standby databases to enable Oracle databases to survive disasters and data corruptions. It ensures high availability, data protection, and disaster recovery for enterprise data. Transparent Data Encryption (TDE) complements Oracle Data Guard by encrypting sensitive data stored in the databases. It safeguards against unauthorized access when the data is at rest, adding an additional security layer. TDE automatically encrypts and decrypts data at the storage level, thus preserving the usability and performance of the Oracle databases while seamlessly integrating with Oracle Data Guard to ensure that both primary and standby databases adhere to the same security standards without manual intervention. Entrust Cryptographic Security Platform Key Management Vault acts as an Extensible Key Management (EKM) solution for Oracle that securely manages keys and encrypts sensitive data using Transparent Data Encryption (TDE).

The Oracle feature Transparent Data Encryption (TDE) provides data-at-rest encryption for sensitive information held by the Oracle database, while at the same time allowing authorized clients to use the database.

Integrated Oracle and Entrust technology has been tested to support Oracle TDE for tablespace encryption and column encryption.

This guide focus on how TDE is used and what needs to happen at the Oracle Data Guard configuration to ensure high availability, data protection, and disaster recovery for enterprise data that has been encrypted using Entrust Cryptographic Security Platform Key Management Vault Database Vault.

Using this guide

This Integration Guide covers UNIX/Linux based systems. It provides:

  • An overview of how the Oracle database software and Entrust Cryptographic Security Platform Key Management Vault Database Vault work together to enhance security.

  • Configuration and installation instructions.

  • Depending on your current Oracle setup, how to:

    • Migrate encryption from an existing Oracle wallet or keystore to Entrust Key Management Vault protection.

    • Begin using Entrust Key Management Vault protection immediately if no Oracle software wallet or keystore already exists.

  • Examples and advice on how the product may be used.

  • Oracle Data Guard configuration with Entrust Key Management Vault especially after encryption has been put in place.

  • Troubleshooting advice.

It is assumed the reader has a good knowledge of Oracle database technology.

Assuming you already have your Oracle database installed and Oracle Data Guard properly configured and working, after installing and configuring the Entrust Cryptographic Security Platform Key Management Vault Database Vault, there is no other software required. However, some minor configuration changes will be needed.

This guide cannot anticipate all configuration requirements a customer may have. Examples shown in this guide are not exhaustive, and may not necessarily show the simplest or most efficient methods of achieving the required results. The examples should be used to guide integration of the Entrust Cryptographic Security Platform Key Management Vault Database Vault with an Oracle database with Data Guard in place, and should be adapted to your own circumstances.

Entrust accepts no responsibility for loss of data, or services, incurred by use of examples, or any errors in this guide. For your own reassurance, it is recommended you thoroughly check your own solutions in safe test conditions before committing them to a production environment. If you require additional help in setting up your system, contact Entrust Support.

Entrust accepts no responsibility for information in this guide that is made obsolete by changes or upgrades to the Oracle product.

This integration guide assumes that you have already reviewed the documentation for Key Management Vault Database Vaults and have a basic understanding of the setup processes involved in configuring Oracle database TDE and Oracle Data Guard. Familiarity with these concepts will ensure a smoother implementation of the integration.

It is important to note that this guide uses a single node primary and standby Oracle servers and a RAC environment was not used for testing. Taking this into account, some SQL statements used in the guide may vary slightly when used in a RAC setup.

Product configuration

Entrust has successfully tested Entrust Cryptographic Security Platform Key Management Vault Database Vault with the following configurations:

Vendor Product Version

VMware

vSphere

8.0

Entrust

Cryptographic Security Platform

1.0

Entrust

Key Management Vault

10.4.5

Oracle

Oracle Database Enterprise Edition

19C - 19.3.0.0.0

Red Hat

Red Hat Enterprise

Linux 8

Conventions used in this document

Database connections

You must be a user with correct permissions to access a database, and also have the correct privileges to perform the required operations when connected to that database. Your system administrator should be able to create users and grant suitable permissions and privileges according to your organization’s security policies.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Example

  • <database-user> is the user identity making the connection.

  • <database-identifier> is the database to make the connection to.

For the purpose of examples in this guide, the following database users and database identifiers should be sufficient.

  1. <database-user>

    This guide will use one following users for connecting to databases:

    • sysdba, Oracle’s standard sysdba user

    • C##test_user, User created to be able to do table column encryption.

      Examples of sqlplus connection syntax:

      % sqlplus / as sysdba

      To connect as different users:

      CONNECT C##test_user/<test_user_password>;
CONNECT sys/<sys_user_password> as sysdba;

  2. <database-identifier>

    This guide will use one following database identifiers for connecting to databases:

    • CDB1ROOT, to connect to the CDB$ROOT for the container CDB1.

    • CDB1PDB1, to connect to PDB1 within CDB1.

Key migration and legacy keys

Entrust Key Management Vault serves as a software wallet or keystore, utilizing the HSM keystore configuration when setting up the wallet type. However, it’s important to note that Entrust Key Management Vault is a software-based solution and not a physical hardware security module (HSM).

Entrust Key Management Vault provides two configurations for key management:

  • The first configuration entails using pure software-based keys.

  • The second configuration utilizes a Hardware Security Module (HSM) as the backend for key creation and operations.

Entrust Key Management Vault offers support for various HSMs, including nShield, Luna, and cloud HSMs.

For more information on HSM configuration with KeyControl, see Hardware Security Modules with Cryptographic Security Platform Vault.

Encryption master keys can be migrated between an existing Oracle keystore and Entrust Key Management Vault serving as the wallet. In this case, 'key migration' refers to the transfer of responsibility for holding the master keys.

The encryption keys themselves are not copied or imported between a software keystore and the Entrust Key Management Vault wallet. Instead, fresh master key(s) are created within the software keystore or Entrust Key Management Vault wallet during the migration. Subsidiary keys that are being protected are re-encrypted using the fresh master key(s). Any new master keys are subsequently created in the current key protector to which you have migrated.

During the re-key process, the previous master keys, or legacy keys, remain in the software keystore or the Entrust Key Management Vault wallet where they were originally created. After performing a key migration, you can retain access to the legacy keys in the software keystore or Key Management Vault wallet you migrated from by setting its passphrase to be the same as the current key protector’s passphrase. This allows both the software keystore and Key Management Vault wallet to be open simultaneously, providing access to the encryption keys they contain. If you do not follow this approach, you will only be able to access keys in the current key protector. If you are using both a software keystore and Key Management Vault wallet concurrently, the current key protector is referred to as the primary.

Overview

Transparent Data Encryption (TDE) is used to encrypt an entire database without requiring changes to existing queries and applications.

When a database encrypted with TDE is loaded into memory from disk storage, it is automatically decrypted, allowing clients to query the database within the server environment without needing to perform any decryption operations. The database is encrypted again when saved to disk storage.

There are several advantages to using Entrust Cryptographic Security Platform Key Management Vault for managing Transparent Data Encryption (TDE) within the Oracle environment. Firstly, it increases visibility into TDE keys, providing administrators with better oversight and control. Entrust Key Management Vault supports the use of in-house Hardware Security Modules (HSMs) for generating cryptographic material, ensuring a secure and trusted key management process. Administrators also have granular control over TDE key usage, with the ability to revoke access if database keys are suspected to be compromised.

Furthermore, Entrust Key Management Vault provides the advantage of storing keys externally to the Oracle Server, offering an additional layer of protection. Access control is strengthened through the validation of the Oracle Server VM’s certificate by Entrust Key Management Vault, enhancing overall security. Encryptions keys are securely stored on a FIPS 140 Level 1 certified Encrypted Object store, ensuring compliance with stringent security standards.

Entrust Cryptographic Security Platform Key Management Vault also enables geo-location-based access control when boundary control is enabled, allowing for fine-grained access restrictions based on geographical locations. Additionally, audit logs are generated in Entrust Key Management Vault, providing a comprehensive record of key management activities for compliance and auditing purposes. Overall, leveraging Key Management Vault for TDE management enhances security, control, and compliance within the Oracle environment.