Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security Breach (OKV - Part 1 )

 

Intro

Recent reports have surfaced about a significant security breach involving Oracle Cloud. A threat actor, identified as "rose87168," claims to have exfiltrated over six million records, potentially affecting more than 140,000 tenants. The compromised data reportedly includes encrypted Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) passwords, Java KeyStores (JKS) files, and Enterprise Manager Java Platform Security (JPS) keys. The attacker is allegedly demanding payments from affected organizations to prevent further exposure.

This incident underscores the critical need for robust encryption key management and security best practices. While Oracle Cloud offers built-in security measures, organizations must proactively safeguard their sensitive credentials and encryption keys. This is where Oracle Key Vault (OKV) plays a crucial role in enhancing data security and mitigating potential threats.

It's not advisable to store your Transparent Data Encryption (TDE) keys locally, as disk corruption could lead to the loss of these critical keys. Managing keys manually across multiple Oracle and MySQL databases with TDE encryption can be challenging and error-prone. That’s why I always encourage customers to back up their keys to an external repository as part of disaster recovery planning. Oracle Key Vault (OKV) serves a crucial role in this context by providing a centralized repository to protect and manage keys. This product is highly mature in terms of security and offers robust protection for sensitive data.

How Oracle Key Vault Can Help

Oracle Key Vault (OKV) is designed to provide centralized and secure storage for encryption keys, certificates, and credentials, reducing the risk of unauthorized access. In light of this breach, organizations leveraging OKV can benefit in the following ways:

1. Secure Key Management—OKV provides a dedicated environment for securely storing and managing encryption keys, preventing exposure even if other credentials are compromised.

2. Separation of Duties – By decoupling encryption key storage from application environments, OKV minimizes the risk of key exposure in case of a breach.

3. End-to-End Encryption – Ensuring that sensitive data, including authentication credentials and cryptographic keys, remains encrypted both in transit and at rest.

4. Auditing & Compliance – OKV provides robust auditing capabilities, helping organizations track key access and usage to meet regulatory compliance requirements.

5. Automated Key Rotation – Regular key rotation can help mitigate risks associated with long-term key exposure, making it harder for attackers to exploit stolen credentials.

In this blog, I will walk you through the installation of the Oracle Key Vault (OKV) appliance in an on-premises environment. For this demonstration, I’ll be using VirtualBox to set up and test the deployment.

Initial Step 

The first step is to download the Oracle Key Vault (OKV) ISO image from Oracle e-Delivery.

1. Visit Oracle e-Delivery.

2. In the search bar, type Oracle Key Vault and locate the latest version (21.10).

3. Download the ISO file for installation.

                                                         Figure 1 : Download OKV

Create a VM using the mentioned system requirements.

• CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI).

• Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.

• Disk: Both BIOS and UEFI boot mode. For a system with a boot disk size greater than 2 TB, Oracle Key Vault supports booting in UEFI mode only.

Installation 

After downloading the OKV ISO, boot your system from the ISO image. Once the installation menu appears, simply press Enter to start a fresh installation of Oracle Key Vault.

                                             

                                                    Figure 2: Installation   

Note: The installation will fail if the recommended values are not provided. For example, insufficient disk space can cause the installation to fail, as shown below.

                                                 Figure 3: Installation failure.

After pressing Enter, the installation process will begin by creating the Logical Volume Manager (LVM) and then proceed with the database installation.

                                            Figure 4 : Installation: LVM creation

During the installation, you will be prompted to provide the ISO file again. Reattach the ISO to proceed with the database installation and Oracle REST Data Services (ORDS), which powers the web-based interface built on APEX.

                                                       Figure 5: ISO file prompt 01 

                      

                                                    Figure 6 : ISO file prompt 02 

Setup Network

The next step in the installation process is configuring the network for Oracle Key Vault (OKV). Since this is a test setup, I am selecting Classic Mode for the network configuration.

  

                                                         Figure 7 : Setup network

Choose the appropriate network interface and configure the IP address for the Oracle Key Vault (OKV) appliance.

                                                      Figure 8 : Setup network - 2

                                                     Figure 9 : Setup network - 3

After applying the Database Release Update (RU), the installation proceeds with deploying the Oracle Key Vault (OKV) application within Oracle REST Data Services (ORDS).

                                                    Figure 9: Apply DB RU

                                                       Figure 10: Beginning application installation.

This figure illustrates the final step of the application installation process.

                                              Figure 10: Completing the application installation.

Now we can access take OKV URL using IP or the hostname. 

                                                           Figure 11 : OKV Loging page.

Set up roles and users for OKV.

There are 3 different roles in OKV. 

• Admin

• System Administrator

• Audit Manager

Alternatively, you can use the same account for all these roles. For this configuration, I will use a single account.

                                                    Figure 12: Setup users.

Once everything is configured, this is how the dashboard will appear when you log in to OKV.

                                              Figure 13 : Dashboard view.

Next article I will show you how you can migrate TDE keys to OKV. 

Conclusion

In an era where AI-driven security threats are becoming increasingly sophisticated, robust encryption key management is more critical than ever. Oracle Key Vault (OKV) provides a secure, centralized solution for managing encryption keys, reducing the risks associated with manual handling and local storage. By integrating OKV into their security strategy, organizations can enhance data protection, ensure compliance, and mitigate potential threats. As cybersecurity challenges evolve, proactive key management remains a fundamental pillar of a strong defense strategy.