Appendix

Security Worlds, key protection, and failure recovery

This section highlights some considerations when choosing Security World and key protection options for use with the Entrust Security World. It focuses on recovery of Security World authorization where a system has temporarily failed (for instance after a power outage) and is then returned to operation. This does not apply to other failure recovery functions. These considerations are applicable to Security Worlds, key protection and failure recovery for both standalone systems and database clusters. For a fuller explanation of Security Worlds and key protection, refer to the User Guide for your HSM.

In the event of a temporary failure of the Entrust Security World, there may be a consequent loss of:

  • Credential authorization.

  • Authorization if you are using a FIPS 140 Level 3 Security World.

A credential authorization can be granted using either a Softcard or an OCS card, with passphrase. In the case of an OCS, a card must be always available in a valid HSM card reader in order to grant reauthorization after a failure, and permit automatic recovery.

Where FIPS authorization is required, this can be granted either by using an OCS card specifically for this purpose, or through an OCS card that is also used for credential authorization. A card from the OCS must be always available in a valid HSM card reader in order to grant reauthorization after a failure, and permit automatic recovery.

If you are using OCS cards through a RA secure channel, then if the secure channel is lost it must be reestablished before recovery using the OCS cards can begin. There is no automatic mechanism to reestablish the secure channel, which would have to be re-established manually, or through a user-defined script. For this reason, Entrust recommends that RA is not used for systems requiring automatic recovery.

Oracle auto-login facilities need to be set up to implement automatic recovery in the event of a temporary failure.

Never use ACS cards for FIPS authorization, because they do not support automatic recovery. Softcards or OCS must be members of the same Security World.

The following table describes the authorization recovery behavior of the nCipher Security World after a temporary outage.

Security World type Protection/ Credential Stand-alone system Database cluster

FIPS level 2

Module

Recovers automatically

Recovers automatically

Softcard

Recovers automatically

Recovers automatically

OCS

Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in HSM slot. Recovers automatically.

Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.

FIPS level 3

Module

Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically

Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically

Softcard

Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically

Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically

OCS

Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in HSM slot. Recovers automatically.

Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.

If you are using an OCS to facilitate automatic recovery of the Entrust Security World:

  • If you are using the OCS for credential authorization, all must be members of the same card set for the same credential, and the same passphrase must be assigned to every card in the set.

  • If you are using the OCS for FIPS authorization purposes only, the quorum automatically defaults to 1/N, and (any) passphrase is ignored.

Authorization acquired through a persistent operator card does not automatically reinstate itself after loss due to a temporary failure.

About the HSM credential

The protection methods available with the Entrust HSM are, in order of enhanced authentication:

  • Module: Encryption keys are protected by a nCipher Security World protecting key in the HSM.

  • Softcard: Encryption keys are protected by a named Softcard (software based) token key, a passphrase, and nCipher Security World protecting key in the HSM. You can have many different Softcards, but each is singular and works on its own.

  • OCS: Encryption keys are protected by the presence of a named physical token (OCS smartcard), an OCS token key, a passphrase, and nCipher Security World protecting key in the HSM. OCS cards are usually part of a set of several OCS cards, or card set, and any member of the same card set protects the same encryption keys. You can have many different OCS card sets where each card set may protect different encryption keys.

The Softcard and OCS protection methods must be set up within the Entrust HSM before they can be used by an Oracle database. See your HSM User Guide for details. The module protection method can be used directly without any set up (other than the normal Entrust configuration). Setting up the Softcard or OCS includes creating and naming the token(s), with a passphrase (see the User Guide for your HSM).

Within SQL scripts as used by Oracle, identify the protection method using a <credential>. Choose the protection method you want to use for <credential> from the table below.

Protection Type Credential or <credential>

Module protection

<module-passphrase>. In this case the passphrase is an access mechanism for Oracle, and is not used by the nShield HSM

Softcard protection

<softcard-passphrase>|<softcard-name>

OCS protection

<OCScard-passphrase>|<OCScard-name>
Oracle documentation gives the ordering <credential-name>|<credential-passphrase>. However, tests showed that the ordering <credential-passphrase>|<credential-name>` works.

Oracle SQL uses the separator symbol | or : to divide the <credential-passphrase> and <credentialname>. Hence the total Oracle SQL string for a credential comprises:

  • Module protection: <passphrase>

  • Softcard or OCS card protection: <credential-passphrase> + <separator> + <credential-name>.

In the nCipher Security World, Entrust recommends the following restrictions on token names, or credentialname:

  • Maximum length of 254 characters.

  • ASCII 7-bit characters only, restricted to:

    A-Z, a-z, 0-9, $ - _ (no white space).

In the nCipher Security World, Entrust places the following restrictions on passphrases, or credential- passphrases:

  • Maximum length of 254 characters.

  • ASCII 7-bit characters only:

    A-Z, a-z, 0-9, ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( ) ; (no white space).

However, the Oracle SQL interface imposes further restrictions on top of the nCipher restrictions for what can comprise the string <credential-passphrase> + <separator> + <credential-name>, as follows:

  • The total string length, including separator, can be no more than 30 characters. This leaves 29 characters for the <credential-passphrase> + <credential-name>.

  • The symbols |, :, " and ' cannot be used within the <credential-passphrase> or <credential-name>.

From the Oracle side, if:

  • N is the length of the credential name.

  • P is the length of the credential passphrase, then 2 ⇐ (N+P) ⇐ 29, where 1 ⇐ N ⇐ 28, and 1 ⇐ P ⇐ 28, assuming a minimum of one character for passphrase and name.

    Permitted symbols are:

  • <credential-passphrase>:

    A-Z, a-z, 0-9, ! @ # $ % ^ & * - _ + = [ ] { } \ , . ? / ~ < > ( ) ; (no white space)

  • <credential-name>:

    A-Z, a-z, 0-9, $ - _ (no white space).

Use a passphrase of sufficient length to meet your current security requirements.

Oracle (wallet manager) states “Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters".
When you are using a Softcard or OCS credential, an SQL script that uses the credential must get the <credential-passphrase> and <credential-name> exactly correct. If there is a mistake, then the entire credential string may be misinterpreted as a <module-passphrase>. Your encryption keys are then placed under module protection rather than the Softcard or OCS card protection you intended. For this reason, after creating encryption keys or rekeying, then immediately use the nCipher rocs utility to check the keys you have just created are under the expected credential or protection method.

In the examples shown in this guide, credentials may be given descriptive names to make it clear what they are used for, such as <keystore-credential>. In practice, replace the descriptive names with the actual credential passphrases and names you are using. If you want to change the passphrase for Softcards or OCS cards, you must change the passphrase for the token in the nCipher Security World first, followed by updating the change to the database. For module protection you need only change the passphrase as seen by the database.

If you are using a FIPS 140 Level 3 Security World:

  • To change the passphrase of a Softcard, or create a new Softcard, you require either authorization using ACS cards, or an OCS authorizing card.

  • To change the passphrase of an OCS card, or create a new OCS card, you require authorization using ACS cards.

You can change the protection method or credential in one of the following ways:

  • Continue using the same protection method and token, but change the associated passphrase. There is no token for module protection, but you can change the passphrase. In this case, after the passphrase is altered, TDE continues working using the new passphrase, because the protected TDE encryption keys remain the same.

  • Continue using the same protection method, but change the token and passphrase. In this case, you have two options:

    1. If you are not transferring encryption keys from the previous token to the new token, you can no longer continue using TDE as protected by the previous token’s keys. You will only be able to use TDE encryption keys shielded under the newly activated credential.

    2. If you are transferring encryption keys from the previous token to the new token, you can continue using TDE as protected by the previous token’s keys. However, you can only transfer keys from different Softcards, or different OCS cards. You cannot transfer keys between Softcards and OCS cards.

  • Change the protection method and associated credential with passphrase. In this case, you cannot transfer encryption keys between the different protection methods. You can only use TDE encryption keys shielded under the new protection method and credential.

Change passphrase only

  1. To change a passphrase only, complete the following instructions:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

-- Pre-11.2.0.1.0
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;

-- 11.2.0.1.0 onward
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY “<credential>”;

    • Multitenant:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;

ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<old-credential>" CONTAINER=ALL;

  2. At this point:

    • If you are using module protection, skip to the next SQL statements.

    • If you are using Softcard protection, refer to the User Guide for your HSM for instructions on how to change the Softcard passphrase using the ppmk utility.

    • If you are using OCS protection, refer to the the User Guide for your HSM for instructions on how to change the OCS passphrase using the cardpp utility. If you are using OCS cards, all OCS cards within the same (1/N) card set must be altered to share the exact same passphrase.

  3. Bounce the database:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<new-credential>";

    • Multitenant only:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<newcredential>" CONTAINER=ALL;

Change token with associated passphrase but keep same protection method

This does not apply to module protection.

  1. To change a token with passphrase for the same protection method, complete the following instructions:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

-- Pre-11.2.0.1.0
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;

-- 11.2.0.1.0 onward
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY “<credential>”;

    • Multitenant:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;

ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<old-token-credential>" CONTAINER=ALL;

  2. At this point:

    • If you do not want to transfer TDE encryption keys from the previous token to the new token, skip to the next SQL statements. If you are using an OCS card set (1/N), all OCS cards within the new card set must share the exact same passphrase.

      If you do want to transfer TDE encryption keys from the previous token to the new token, refer to your HSM User Guide for instructions on how to transfer the keys using the rocs utility.

      It is recommended to back up your Security World data before transferring keys between tokens. See the User Guide for your HSM.

      To transfer keys using the rocs utility, you will need your Security World ACS cards to authorize transfer of keys between tokens. You can only transfer encryption keys between Softcards, or else between OCS cards, but not between Softcards and OCS cards. If transferring keys to another OCS card set (1/N), all OCS cards within the target card set must share the exact same passphrase.

  3. Bounce the database:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<new-tokencredential>";

    • Multitenant:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<new-tokencredential>" CONTAINER=ALL;

Change protection method

  1. To change the protection method, complete the following instructions:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

-- Pre-11.2.0.1.0
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;

-- 11.2.0.1.0 onward
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY “<credential>”;

    • Multitenant:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<old-protection-credential>" CONTAINER=ALL;

      If you are using OCS cards, all OCS cards within the same (1/N) card set must share the exact same passphrase.

  2. Bounce the database:

    • Non-multitenant:

      CONNECT TESTER@DB

      -- If Database is not open already
ALTER DATABASE OPEN;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<new-protection-credential>";

    • Multitenant only:

      CONNECT C##TESTER@CDB<n>

      -- If Database is not open already
ALTER PLUGGABLE DATABASE ALL OPEN;

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<new-protectioncredential>" CONTAINER=ALL;

Latency issues

It is beyond the scope of this guide to deal with specific solutions to latency issues, and these will only be discussed in general terms.

When you are using an Oracle database, the nCipher Security World provides and protects the master encryption keys (wrapping keys) that are used to wrap Oracle symmetric keys that are in turn used for tablespace or table column encryption. The Oracle symmetric keys are stored as part of the database itself, although protected by the wrapping key.

In the context of this guide, encrypted data will be taken to include the symmetric key(s) that are stored as part of an Oracle database, as well as the encrypted data itself. Master encryption keys will be taken to be the (wrapping) keys stored by the nCipher Security World. Latency issues may occur when there is a mismatch between the encrypted data and the (correct) master encryption keys, due to a time lag in an update of either. This should only be a problem where there are multiple clients using the same database and encryption keys. In this case, when data or master encryption keys are updated on one client, the changes must be distributed before use by the other clients. Otherwise synchronization problems may occur. Note that the client that initiates the changes should suffer no synchronization problems.

Typically, these issues are more complex to resolve for a large and geographically distributed database system, rather than a small or localized system. It is the job of the system administration to ensure that encrypted data is synchronized with the appropriate master encryption keys at any particular time. Furthermore, is not within the control of the nCipher software if encrypted data does not match (the correct) master encryption keys in the Security World because of a time lag in updating the database.

Where there may be a time lag in updating master encryption keys in the Security World to match encrypted data, this may be due to the following:

  • Time lag in distributing new or updated master encryption keys to a Security World, or between different copies of the same Security World, after a key rotation or rekey.

  • After new or updated master keys have been successfully distributed to the Security World, then a lag in making a nCipher hardserver instance recognize the new master keys.

Storage and distribution of updated master keys

Common storage of master encryption keys

Entrust recommends configurations where the Security World data is held in common storage between clients that require use of the same master encryption keys (if possible).

If common storage of the master encryption keys is being used, then there may be a short time delay before newly created keys are successfully copied to the common store. After this, there may be a further short time delay before a client is able to access the keys from the common store. The time period a client may not be able to access the updated keys is likely to be very short, but may increase if the client is geographically distant from the common store and communication delays accumulate. Note that if you are using a common store, the master keys are implicitly updated for the use of all clients, and there is no need to trigger any other update mechanism.

Common key storage implies:

  • Key update is implicit and simple (as there is only one store).

  • Keeps time delays short, thereby minimizing any problems synchronizing keys with data.

  • It is essential the common store is backed up frequently, as otherwise it is the only copy of the encryption keys.

Local storage of master encryption keys

If each client is using its own local copy of the Security World, then after an update of the master keys is initiated on any client, the updated keys must be distributed in a timely manner to the local Security Worlds of every other client. To achieve this, there must be some explicit update mechanism in order to recognize when an update is required in the first place, and then trigger the key distribution process.

Clearly, if this was done manually, it is likely to be a slow process. If it is done automatically, recognizing when a rekey occurs should not be difficult on the client that initiates it, and triggering the update should not therefore be a problem. Even so, for a configuration that uses dispersed local copies of the Security World, mechanisms to distribute the updated keys are likely to be slower and more difficult to implement than for the common key storage case. This makes the timely synchronization of the master keys with the data more problematic.

Entrust provide the utilities rfs-setup/rfs-sync (gang-client) that can provide limited facilities to distribute keys between different clients, although you must use an RFS for intermediate key storage. However, these utilities were originally designed for manual operation. Clearly, these utilities can be incorporated into automated scripts customized for your particular configuration. But elaborating this into an automated system to distribute your keys without synchronization problems is a task for your system development team. Further information about nCipher rfs-setup/rfs-sync utilities can be found in the User Guide for your HSM.

An alternative for key distribution is the UNIX rsync utility. However, it is beyond the scope of this guide to discuss how this may be used.

If you require further assistance for distributed key update arrangements, contact Entrust Support.

Local key storage and distribution implies:

  • An explicit update mechanism that may be complex to automate.

  • Greater difficulty in keeping distribution time delays short, increasing any problems in synchronizing keys with data.

  • There are multiple copies of the Security World, making the loss of any one copy less significant than may be the case with common storage.

Making a hardserver instance recognize new master keys

In a configuration with multiple clients sharing the same encryption keys, if a rekey is performed, the new keys should be immediately available and usable on the client that performed the rekey. However, for the other clients, after the new keys have been made available in their Security World folder, for the new keys to become usable to the local hardserver instance, you have a choice of the following options (this applies for both shared and local key storage):

  1. In the nCipher cknfastrc file for each client, insert the following:

    CKNFAST_ASSUME_SINGLE_PROCESS=0

    This will ensure the Security World folder is scanned for the latest keys whenever a key is required, and avoids key caching. However, with this option the Security World will be scanned every time a key is required, even if no new keys have been added to the Security World. If there are many keys this may take a significant time. Additionally, as it will be repeated every time a key is needed, it may slow down overall operations. However, use of this option should not require downtime for the key update.

  2. For each client that did not initiate a rekey, all applications/users that were using encryption keys on the database should be reconnected. A new connection will force a scan of the Security World that will pick up new keys. But in this case, it is a single scan for that connection, and will NOT be repeated every time a key is required. If you have many keys, encrypted database operations will be temporarily hindered only on the occasion you need to make a reconnection to update your master keys. Use of this option may imply temporary downtime while reconnections are made after a key update. But if you routinely make new connections on your system per transaction, this should be hardly noticeable.

Other considerations

Even if a client is not able to access the required master keys for a short period, this is not necessarily a serious problem. The Oracle database should be able to recover gracefully if unable to obtain the correct master key(s). It should be possible to program the database to rollback failed transactions and make several attempts to repeat the transaction, until some expiry point is reached.

If the delay in the update of the master keys is short, then repeated attempts at the transaction should eventually succeed when the master key update is complete. If it is not possible to do this within the Oracle database itself, then it should be possible to do something similar in the application code that is using the database.

If you are using the common shared storage, it is expected that any lag in updating the master keys will be short enough that either:

  • The Oracle database will not be affected.

  • The Oracle database will cope gracefully, and subsequently recover automatically as described above, as and when the update completes.

If delays in updating the master keys exceed the limits of what the Oracle database or application can cope with gracefully, then it may be necessary to halt encryption transactions temporarily while a master key rotation is performed.

Entrust strongly recommends you test your solutions in a safe environment before transferring to a production environment.

How Oracle works with the Entrust HSM

Before using the Entrust HSM, either a new Security World must be created using the HSM, or a previously created Security World must be loaded onto the HSM. For more information, see the User Guide for your HSM.

The Security World is stored in a folder on your host server(s) and holds the database encryption keys, and associated credential files, that are to be protected. All data in the Security World folder is automatically encrypted and is useless to anyone without the authorized access and decryption mechanisms. When encryption keys are to be used, they are loaded into the physically protected environment of the HSM where they may be securely decrypted for use. Encryption keys protected by an HSM are never available in plaintext outside the boundary of the HSM. Legitimate use of the encryption keys is authorized and protected as described below.

If you are creating a new Security World, you must create an Administrator Card Set (ACS). An ACS is a set of physical smartcard(s) that must be used to create a Security World. When the Security World has been created, the ACS is used to secure the higher administrative functions of the Security World. Without a quorum of ACS cards, you cannot create or load a Security World onto an HSM, or alter it. Each ACS card can be issued with a unique passphrase and is specific to the Security World. When the Security World is created, you must stipulate a minimum number of cards, known as a quorum, required to load the Security World onto an HSM at any later time. However, the number of cards in the set should exceed the quorum, so that spares are available in case of failures or loss of card. An encrypted copy of the created Security World is stored in a folder on the host server(s).

If you are loading an existing Security World onto an HSM, you need access to a folder holding the Security World, and a quorum of the same ACS cards, and associated passphrase(s), that were used to create the Security World.

After the Security World has been created or loaded onto the HSM, a suitable HSM protection method may be prepared, or resumed if it was already present in an existing Security World. The protection method enables authorized access to the encryption keys assigned to it. The following protection methods are available, in order of increasing authentication requirements:

  • Module protection: Oracle master encryption keys are protected by a Security World protecting key.

  • Softcard protection: Oracle master encryption keys are protected by a (singular) named software token key, a passphrase, and Security World protecting key.

  • Operator Card Set (OCS) protection: Oracle master encryption keys are protected by the presence of a set of named physical token(s) or smartcard(s), an OCS token key, and Security World protecting key. An OCS smartcard set is similar to the ACS card set in that it must stipulate a quorum of cards to authorize permission to use its protection. The number of cards in the set should exceed the number of HSMs that may be sharing the same Security World so that spares are available in case of failure. The card set should have a unique name that covers all cards in the set. In typical use with Oracle, all OCS cards in the same set should have the same passphrase, and the quorum is one.

For instructions to set up these protection methods, see the User Guide for your HSM.

If you have loaded an existing Security World onto the HSM and will be using an OCS card set that it already contains, you must use the same physical OCS cards and associated passphrase(s) that were originally created in that Security World. Similarly, for Softcard or module protection, you will need the original passphrase(s).

In this Integration Guide, the word credential is used for a passphrase, or the combination of a passphrase and a named token (OCS or Softcard). Before an Oracle database can make use of the facilities offered by the nShield HSM, it must have access to the nCipher library file libcknfast.so which is installed as described in this guide. This is vital, as without access to the nCipher library file, the Oracle database and nShield HSM or nCipher software cannot communicate. Once successful communication is established between the Oracle database and nShield HSM, the Oracle database can gain access to the HSM by use of a credential incorporated into an SQL script. When it is set up with a credential, the Oracle database can proceed to create and assign encryption keys to that credential if no encryption keys yet exist, and encrypt or decrypt data using the encryption keys protected by that credential.

A protection method or credential is uniquely associated with the Security World where it was created and cannot be used with any other Security World. It should also be uniquely associated with the encrypted database(s) it is protecting. An encrypted database cannot be decrypted without access to the same master keys that protect it (likely to be an asymmetric pair). If you use OCS protection, the Oracle database must use the correct OCS card name and associated passphrase in its SQL scripts to access the encryption keys assigned to the OCS. Likewise, if you use a Softcard, the Oracle database must use the correct Softcard name and associated passphrase in its SQL scripts to access the encryption keys assigned to the Softcard.

If you use module protection, a passphrase is required for the Oracle database access mechanisms only. The Oracle module protection passphrase does not have a reference or counterpart in the nShield HSM. This means that a user who is able to access keys directly in the HSM is able to access module protected keys for any database without requiring the Oracle passphrase. This does not apply for Softcard or OCS protection.

Use of the HSM credentials and associated SQL scripts that open up access to the encrypted data should be strictly limited to authorized persons. However, the system can be set up so that approved clients can retrieve the encrypted data that is automatically decrypted when it leaves the database. Approved database users do not need the HSM credentials and associated SQL scripts to do this. They can continue to use the database as normal. Encryption should be invisible to them in most circumstances.

If you first use an Oracle software keystore to protect the master encryption keys, but later want to switch to an HSM, the encryption facilities can be migrated to the HSM. Also, encryption facilities can be migrated from an HSM back to an Oracle software keystore. During migration, fresh master key(s) are created in the HSM or software keystore, and the subsidiary keys that are being protected are re-encrypted with the new master key(s). Legacy keys remain in the software keystore or HSM where they were created, and should be (securely) retained in case they were used for past backups or other legacy data. For more information on key migration, see the Oracle documentation.

For loading or failover, you can use more than one HSM in the same system. The HSMs must share the Security World, and operate together to provide the same functions as a single HSM.

There is some performance degradation when Transparent Data Encryption (TDE) is used. The impact depends on the types of transactions you typically perform. Using the Security World software and the HSM usually have a negligible impact on TDE performance. You should test your Oracle and HSM configuration in a realistic test environment before committing to a production environment.

All nShield HSMs are FIPS certified to 140 Level 3, meaning that they are tamper evident and tamper resistant. nShield Connects are also tamper responsive, if an attempt to open the nShield Connect body is detected, all stored HSM encryption key data is deleted.

The encryption facilities described in this document are designed only to protect data at rest. TDE encrypts data while stored on disk, but once the data is retrieved to working memory, it is in plaintext and can be read by anyone able to access it. Decrypted data in transit between a database server and client should be independently encrypted to ensure security during data transfer. Security World data is inherently encrypted. There should be minimal security risk in transmitting this data over open networks. Similarly, encrypted database contents should be minimally at risk if transmitted over open networks.