Intro
The Role of Oracle Key Vault in Securing Encryption Keys
One of the fundamental aspects of database security is effective key management. A common yet risky practice is storing Transparent Data Encryption (TDE) keys locally. This approach exposes organizations to data loss due to disk corruption or system failures. Furthermore, manually managing encryption keys across multiple Oracle and MySQL databases can be complex and prone to errors, increasing security risks.
Oracle Key Vault (OKV) provides a centralized, secure repository for managing encryption keys, certificates, and secrets. It plays a vital role in enhancing security by:
-
Protecting Encryption Keys: OKV ensures that TDE keys and other critical credentials are securely stored, mitigating risks associated with local key storage.
-
Automating Key Management: By streamlining key distribution and rotation, OKV reduces operational overhead and human error.
-
Enhancing Compliance: Many regulatory frameworks require robust encryption key management. OKV helps organizations meet compliance standards by providing a secure and auditable key management solution.
-
Supporting Disaster Recovery: Backing up encryption keys to an external, secure repository is crucial for disaster recovery. OKV facilitates seamless recovery processes, ensuring business continuity in case of system failures.
Strengthening Security Best Practices
To mitigate the risks associated with security breaches and ensure robust protection of sensitive data, organizations should adopt the following best practices:
-
Implement Centralized Key Management: Use Oracle Key Vault or similar solutions to securely store and manage encryption keys.
-
Enforce Strong Access Controls: Restrict access to encryption keys and credentials based on the principle of least privilege.
-
Regularly Rotate Keys and Passwords: Frequent key and password rotation reduces the risk of prolonged exposure in the event of a breach.
-
Monitor for Anomalous Activity: Utilize security monitoring tools to detect unauthorized access attempts and potential threats.
-
Backup Encryption Keys Securely: Store backups in an encrypted, external repository to ensure data recovery in case of corruption or loss.
Initial setup.
In the previous article, we set up the admin user to connect to Oracle Key Vault (OKV). Now, use the admin account to log in to the OKV console.
If you need installation guidance, refer to: Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security Breach (OKV - Part 1).
Figure 1: Initial logging page
We need to create an endpoint in Oracle Key Vault (OKV). In this example, I have created a database named TWHSE01. Before proceeding, I will first set up the following folder structure.
Note: wallet_root is a special folder where you keep all the OKV file , best practices is to keep the OKV EP installation under wallet_root folder.
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde - Location for TDE keys
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/okv - Location for OKV End point
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde_seps - Location for External SSO Key
Create an OKV endpoint (EP)
Overview of EP
Endpoints are Oracle Key Vault clients that securely store and retrieve security objects such as keys, passwords, certificates, and credential files.
These endpoints can include Oracle database servers, Oracle middleware servers, operating systems, and more. They use Oracle Key Vault for long-term secret retention, secure sharing with trusted peers, and on-demand retrieval.
Oracle Key Vault also provides a library that enables Transparent Data Encryption (TDE) to communicate with it. While Oracle Enterprise Manager can manage database server endpoints in Oracle Key Vault, it does not support TDE integration with Key Vault.
Default wallet
Create a default wallet and click Save. In this example, I have created WL_TWHSE01.Download EP
Before downloading, be sure to note the token key, as it is required to download the endpoint software. Token key to mentioned in the endpoint.
Figure 5:
Token
Log out of Oracle Key Vault, return to the main login window, and click Endpoint Enrollment and Software Download.
Installed the Endpoint
This file is crucial. After installation, be sure to remove it from the server. To simplify identification, name each endpoint software after the corresponding database.
In this example, I copied the file to the wallet_root/okv folder and renamed it to okvclient_TWHSE01.jar.
Note: For security best practices, ensure you delete this file after installation to prevent potential exploitation by hackers.
For endpoint installation, I am using 0KV2025! as the endpoint and external OKV password. Since TDE is file-based, I will use F1LE2025!.
-
Endpoint password: 0KV2025!
-
TDE password: F1LE2025!
Use the command below to install:
$ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v
Sample installation output
[oracle@crs01 wallet_root]$ $ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v
Detected JAVA_HOME: /u01/app/oracle/product/19.0.0/dbhome_1/jdk
Detected ORACLE_HOME: /u01/app/oracle/product/19.0.0/dbhome_1
Detected ORACLE_BASE: /u01/app/oracle
Using OKV_HOME: /u01/app/oracle/admin/TWHSE01/wallet_root/okv
Please set environment variables ORACLE_HOME, ORACLE_BASE, and OKV_HOME
consistently across processes.
Enter new Key Vault endpoint password ( for auto-login): 0KV2025!
Confirm new Key Vault endpoint password: 0KV2025!
The endpoint software for Oracle Key Vault installed successfully.
Deleted the file : /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar
[oracle@crs01 wallet_root]$
root.sh
script. This script creates the directory tree/opt/oracle/extapi/64/hsm/oracle/1.0.0
, sets the appropriate ownership and permissions, and copies the PKCS#11 library into the directory.Sample root.sh Script execution output
[root@crs01 oracle]#/u01/app/oracle/admin/TWHSE01/wallet_root/okv/bin/root.sh
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Installation successful.
[root@crs01 oracle]#
Before the installation endpoint status was REGISTERED.
After Installation endpoint status changed to ENROLLED.
Environment Variables.
To complete the installation, we must properly set up all environment variables. When migrating TDE to OKV, the environment variable should be configured to identify the correct path.
Important variables are ORACLE_HOME, ORACLE_SID , OKV_HOME and JAVA_HOME.
export ORACLE_BASE=/u01/app/oracle
export DB_HOME=$ORACLE_BASE/product/19.0.0/dbhome_1
export ORACLE_HOME=$DB_HOME
export ORACLE_SID=TWHSE01
export ORACLE_TERM=xterm
export OKV_HOME=/u01/app/oracle/admin/TWHSE01/wallet_root/okv
export JAVA_HOME=/u01/app/oracle/product/19.0.0/dbhome_1/jdk
Upload TDE keys to OKV
Now, let's upload the TDE keys to the endpoint using the following command to add them to the OKV wallet.
[oracle@crs01 bin]$ ./okvutil upload -h
Usage 1: okvutil upload -l location>-t type [-o] [-g group]
type := WALLET | JKS | JCEKS
Usage 2: okvutil upload -l location> -t type [-o] [-g group] [-d description]
type := SSH | KERBEROS | TDE_KEY_BYTES | OTHER
Usage 3: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-i SSH-private-key-id] [-d description]
type := SSH_PUBLIC_KEY
Usage 4: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-d description]
type := SSH_PRIVATE_KEY
Description:
Use the upload command to upload data to the server.
Options:
-l, --location -location-
Read information from -location-
For wallets, point to the directory containing the wallet.
For all other types, point to the file.
-t, --type -type-
Type of store.
type := WALLET | JKS | JCEKS | SSH | KERBEROS | TDE_KEY_BYTES | SSH_PUBLIC_KEY | SSH_PRIVATE_KEY | OTHER
-o, --overwrite
Overwrite any conflicting data on the server with the data to upload.
-g, --group -group-
Name of object group (Oracle Key Vault virtual wallet).
Note that group must exist and the endpoint must have sufficient access privileges.
-d, --description description
Add a free-form description. This option is only valid when the source file type is one that Oracle Key Vault stores as a single object (OTHER, KERBEROS, SSH, TDE_KEY_BYTES, SSH_PUBLIC_KEY).
-i, --item SSH-private-key-id
ID of the SSH private key linked to the SSH public key.
-U, --ssh-user SSH-user
SSH user who owns the SSH public or private key.
-L, --length length
Length (in bits) of the SSH public or private key to be uploaded.
Example:
* okvutil upload -l . -t wallet -g Group1
* okvutil upload -l foo.txt -t other -d description
* okvutil upload -l tde_key_bytes.txt -t tde_key_bytes -d master_key_for_db
* okvutil upload -l ./keystore.jks -t jks -g Group2
[oracle@crs01 bin]$
/u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde -g WL_SWHSE01 -v 4
Sample output :
[oracle@crs01 bin]$ pwd
/u01/app/oracle/admin/SWHSE01/okv/bin
[oracle@crs01 bin]$ /u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde -g WL_SWHSE01 -v 4
okvutil version 21.10.0.0.0
Endpoint type: Oracle Database
Configuration file: /u01/app/oracle/admin/SWHSE01/okv/conf/okvclient.ora
Server: 192.168.56.210:5696
Standby Servers:
Uploading from /u01/app/oracle/admin/SWHSE01/wallet/tde
Enter source wallet password:
No auto-login wallet found, password needed
Enter Oracle Key Vault endpoint password:
ORACLE.SECURITY.ID.ENCRYPTION.
Trying to connect to 192.168.56.210:5696 ...
Connected to 192.168.56.210:5696.
ORACLE.SECURITY.KB.ENCRYPTION.
Trying to connect to 192.168.56.210:5696 ...
Connected to 192.168.56.210:5696.
ORACLE.SECURITY.KM.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Uploaded 1 TDE keys
Uploaded 0 SEPS entries
Uploaded 0 other secrets
Uploaded 3 opaque objects
Uploading private key
Uploading certificate request
Uploading trust points
Uploaded 1 private keys
Uploaded 1 certificate requests
Uploaded 0 user certificates
Uploaded 0 trust points
Upload succeeded
[oracle@crs01 bin]$
Migrate TDE keys to OKV
Add a secret to allow use of "External Store".
I will securely store the OKV password in the keystore as a secret, allowing the use of the EXTERNAL STORE option instead of manually entering the password.
Next, I will create an external key in Oracle Key Vault (OKV) and migrate the existing encryption keys to OKV. The keys will be stored in the following directory: /u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps';
Note: As mentioned in the previous post:
- The keystore must be located in a subdirectory of WALLET_ROOT named "tde_seps" to be recognized.
- The "FOR CLIENT" entry must be 'OKV_PASSWORD' for proper detection.
- The keystore must be set to AUTO_LOGIN to ensure it can be opened and used automatically.
Enabling Auto Login for Oracle Key Vault (OKV) Keystore
To streamline access to the Oracle Key Vault (OKV) keystore, I will store the OKV password as a secret within the keystore. This setup enables AUTO_LOGIN, eliminating the need for manual password entry when accessing the OKV keystore.
The database can securely authenticate with OKV by configuring auto-login, ensuring seamless key management while maintaining strong encryption security.
Note: Before creating a new OKV SSO file, backup the current SSO file.
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde';
alter system set tde_configuration = "KEYSTORE_CONFIGURATION=OKV|FILE" scope=both sid='*';
Validate the wallet status
SQL> set lines 600
SQL> col WALLET for a20
col WALLET_LOCATION for a80
select WRL_TYPE wallet,status,WALLET_TYPE,wrl_parameter wallet_location,KEYSTORE_MODE from v$encryption_wallet;SQL> SQL> SQL>
WALLET STATUS WALLET_TYPE WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN UNKNOWN /u01/app/oracle/admin/SWHSE01/wallet/tde/ NONE
OKV CLOSED UNKNOWN NONE
FILE OPEN UNKNOWN UNITED
OKV CLOSED UNKNOWN UNITED
FILE OPEN UNKNOWN UNITED
OKV CLOSED UNKNOWN UNITED
6 rows selected.
SQL>
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2025!"; -- OKV file based password
WALLET STATUS WALLET_TYPE WALLET_ORDER WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE /u01/app/oracle/admin/TWHSE01/wallet_root/tde/ NONE
OKV OPEN_NO_MASTER_KEY OKV SINGLE
SQL>
Migrate the FILE local wallet to OKV
"Now, execute the key migration command. This command must complete successfully to ensure full integration with OKV.
SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "0KV2025!" MIGRATE USING "F1LE2025!" WITH BACKUP;
keystore altered.
Validate wallet status
SQL> @tde_status.sql
WALLET STATUS WALLET_TYPE WALLET_ORDER WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN AUTOLOGIN SECONDARY /u01/app/oracle/admin/TWHSE01/wallet_root/tde/ NONE
OKV OPEN OKV PRIMARY NONE
SQL>