Oracle Exadata Cloud Service (ExaCS) uses Oracle Transparent Data Encryption (TDE) to protect data at rest for its databases. TDE is a two-tier key architecture comprising of data encryption and master encryption keys. The data encryption keys protect table and tablespaces but are wrapped by a single database master encryption key. The master key is separated from encrypted data and are stored outside of the database. Currently, the TDE master key is Oracle-Managed and stored in an Oracle Wallet, a PKCS#12 standard-based key storage file.
We are excited to announce the general availability of ExaCS integration with Oracle Cloud Infrastructure (OCI) Vault service. You now have the control to create and manage TDE master keys that protect your Exadata database, where all network connections between your databases and OCI Vault are encrypted and mutually authenticated using SSL/TLS.
What are the benefits of Vault?
- You centrally control and manage your TDE master keys.
- Your keys are stored in a highly available, durable and managed service.
- Your keys can be protected by hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.
- You can rotate your keys and audit their cryptographic operations to meet compliance and regulatory needs.
In order to use customer managed keys with Exadata database, you should first access the Vault service and create encryption keys. The encryption key algorithm you use must be AES-256. Next, you should ensure the required IAM policy is set for you to manage keys in Vault. Once these prerequisite steps are complete, you can create Exadata database protected by customer managed keys. Only databases after Oracle Database 11g release 2 (11.2.0.4) are supported.
How to use customer-managed keys for ExaCS in OCI console?
Creation of Database:
Creation of Exadata database has a new encryption field under Show Advanced options called customer-managed keys. Once selected, you can then choose the Vault and encryption keys you control as your TDE master key. It’s that simple. The default encryption option is Oracle-Managed. Once the database is created, you can check whether it was protected with Oracle or Customer-managed in the Database details page.
The below image shows an example of selecting customer-managed keys and the database details page.
0 comments:
Post a Comment