Introduction

This guide describes the integration of the Entrust KeyControl Database Vault with an Oracle database. KeyControl Database Vault acts as an Extensible Key Management (EKM) solution that securely manages keys and encrypts sensitive data using Transparent Data Encryption (TDE).

For more detailed information on KeyControl Database Vaults, see the KeyControl Database Vault Documentation.

The Oracle feature Transparent Data Encryption (TDE) provides data-at-rest encryption for sensitive information held by the Oracle database, while at the same time allowing authorized clients to use the database.

Integrated Oracle and Entrust technology has been tested to support Oracle TDE for tablespace encryption, or column encryption, or concurrently for both.

This guides shows support for multitenant databases. For more information on the multitenant support only by Oracle, see the Oracle multitenant documentation.

Using this guide

This Integration Guide covers UNIX/Linux based systems. It provides:

An overview of how the Oracle database software and Entrust KeyControl Database Vault work together to enhance security.
Configuration and installation instructions.
Depending on your current Oracle setup, how to:
- Migrate encryption from an existing Oracle wallet or keystore to KeyControl protection.
- Begin using KeyControl protection immediately if no Oracle software wallet or keystore already exists.
Examples and advice on how the product may be used.
Troubleshooting advice.

It is assumed the reader has a good knowledge of Oracle database technology.

Assuming you already have your Oracle database installed, after installing and configuring the Entrust KeyControl Database Vault, there is no other software required. However, some minor configuration changes will be needed.

This guide cannot anticipate all configuration requirements a customer may have. Examples shown in this guide are not exhaustive, and may not necessarily show the simplest or most efficient methods of achieving the required results. The examples should be used to guide integration of the Entrust KeyControl Database Vault with an Oracle database, and should be adapted to your own circumstances.

Entrust accepts no responsibility for loss of data, or services, incurred by use of examples, or any errors in this guide. For your own reassurance, it is recommended you thoroughly check your own solutions in safe test conditions before committing them to a production environment. If you require additional help in setting up your system, contact Entrust Support.

Entrust accepts no responsibility for information in this guide that is made obsolete by changes or upgrades to the Oracle product.

This integration guide assumes that you have already reviewed the documentation for KeyControl Database Vaults and have a basic understanding of the setup processes involved in configuring Oracle database TDE. Familiarity with these concepts will ensure a smoother implementation of the integration.

Product configuration

Entrust has successfully tested the following software version:

Product	Version
KeyControl Vault	10.4.1

Product

Version

KeyControl Vault

10.4.1

Entrust has successfully tested Entrust KeyControl Database Vault with the following configurations:

OS Version	Kernel	Oracle Version
Red Hat Enterprise Linux 9	Linux 5.14.0-503.21.1.el9_5.x86_64	Oracle Database 23ai Free Release - 23.0.0.0.0 - 23.6.0.24.10

OS Version

Kernel

Oracle Version

Red Hat Enterprise Linux 9

Linux 5.14.0-503.21.1.el9_5.x86_64

Oracle Database 23ai Free Release - 23.0.0.0.0 - 23.6.0.24.10

Conventions used in this document

Database connections

You must be a user with correct permissions to access a database, and also have the correct privileges to perform the required operations when connected to that database. Your system administrator should be able to create users and grant suitable permissions and privileges according to your organization’s security policies.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Example

<database-user> is the user identity making the connection.
<database-identifier> is the database to make the connection to.

For the purpose of examples in this guide, the following database users and database identifiers should be sufficient.

<database-user>

This guide will use one following users for connecting to databases:

sysdba, Oracle’s standard sysdba user
<database-identifier>

This guide will use one following database identifies during a connection:

Oracle 23ai Free edition already deploys the following:

FREE indicates the container database.
PDB1 indicates the pluggable database.

Multitenant database identifiers will be:

FREEROOT, to connect to the CDB$ROOT for the container FREE.
FREEPDB1, to connect to PDB1 within FREE.

For example:

CONNECT sysdba@FREEROOT
CONNECT FREEPDB1TESTER@FREEPDB1

When you are using a multitenant database, the connection implies that you must alter a session if you are not already connected to the required container. For example:

CONNECT sysdba@FREEROOT implies that if you are not already connected to FREE, then alter the session:
```
ALTER SESSION SET CONTAINER = CDB$ROOT;
```
CONNECT FREEPDB1TESTER@FREEPDB1 implies that if you are not already connected to FREEPDB1, then alter the session:
```
ALTER SESSION SET CONTAINER = FREEPDB1;
```

Examples of sqlplus connection syntax for different users:

sqlplus / as sysdba
sqlplus / as sysdba@FREEROOT
sqlplus FREEPDB1TESTER/Tester@//localhost:1521/FREEPDB1

Key migration and legacy keys

KeyControl serves as a software wallet or keystore, utilizing the HSM keystore configuration when setting up the wallet type. However, it’s important to note that KeyControl is a software-based solution and not a physical hardware security module (HSM).

KeyControl provides two configurations for key management:

The first configuration entails using pure software-based keys.
The second configuration utilizes a Hardware Security Module (HSM) as the backend for key creation and operations.

KeyControl offers support for various HSMs, including nShield, Luna, and cloud HSMs.

For more information on HSM configuration with KeyControl, see Hardware Security Modules with KeyControl Vault.

Encryption master keys can be migrated between an existing Oracle keystore and KeyControl serving as the wallet. In this case, 'key migration' refers to the transfer of responsibility for holding the master keys.

The encryption keys themselves are not copied or imported between a software keystore and KeyControl wallet Instead, fresh master key(s) are created within the software keystore or KeyControl wallet during the migration. Subsidiary keys that are being protected are re-encrypted using the fresh master key(s). Any new master keys are subsequently created in the current key protector to which you have migrated.

During the re-key process, the previous master keys, or legacy keys, remain in the software keystore or KeyControl wallet where they were originally created. After performing a key migration, you can retain access to the legacy keys in the software keystore or KeyControl wallet you migrated from by setting its passphrase to be the same as the current key protector’s passphrase. This allows both the software keystore and KeyControl wallet to be open simultaneously, providing access to the encryption keys they contain. If you do not follow this approach, you will only be able to access keys in the current key protector. If you are using both a software keystore and KeyControl wallet concurrently, the current key protector is referred to as the primary.

Overview

Transparent Data Encryption (TDE) is used to encrypt an entire database without requiring changes to existing queries and applications.

When a database encrypted with TDE is loaded into memory from disk storage, it is automatically decrypted, allowing clients to query the database within the server environment without needing to perform any decryption operations. The database is encrypted again when saved to disk storage.

There are several advantages to using KeyControl for managing Transparent Data Encryption (TDE) within the Oracle environment. Firstly, it increases visibility into TDE keys, providing administrators with better oversight and control. KeyControl supports the use of in-house Hardware Security Modules (HSMs) for generating cryptographic material, ensuring a secure and trusted key management process. Administrators also have granular control over TDE key usage, with the ability to revoke access if database keys are suspected to be compromised.

Furthermore, KeyControl provides the advantage of storing keys externally to the Oracle Server, offering an additional layer of protection. Access control is strengthened through the validation of the Oracle Server VM’s certificate by KeyControl, enhancing overall security. Encryptions keys are securely stored on a FIPS 140 Level 1 certified Encrypted Object store, ensuring compliance with stringent security standards.

KeyControl also enables geo-location-based access control when boundary control is enabled, allowing for fine-grained access restrictions based on geographical locations. Additionally, audit logs are generated in KeyControl, providing a comprehensive record of key management activities for compliance and auditing purposes. Overall, leveraging KeyControl for TDE management enhances security, control, and compliance within the Oracle environment.