[Review] Oracle Key Vault Manages Keys and Peace of Mind

Businesses have a growing need to protect personally identifiable information, guarded health information, financial information, and dozens of other types of data on various systems within the enterprise. The most acceptable way of protecting data is through encryption, which means encryption is no longer optional for managing enterprise data. It has become an essential element of end-to-end data protection especially with the introduction and inclusion of the cloud. As enterprises implement encryption in their database, operating systems, and the cloud, management of those encryption keys becomes increasingly complex and difficult. Enterprises need a way to sensibly and securely manage those keys.

One solution for consideration is Oracle Key Vault (OKV), which has been designed to store, manage and protect the keys that unlock the encryption protecting enterprise data thereby reducing the costs associated with generating and managing keys throughout the lifecycle. Key Vault promises to simplify encryption key management by storing copies of the thousands, or even hundreds of thousands, of keys an enterprise utilizes in protecting its data and operations. Additionally, Key Vault  is not limited to just the encryption keys but can also safeguard credentialed documents as well as other “secrets” for the enterprise. In this process, Key Vault makes sure that organizations meet regulations and industry standards related to how keys are rotated, accessed and destroyed.

Key Vault is optimized for managing Oracle Advanced Security Transparent Data Encryption (TDE) master keys. Key Vault manages keys and security objects for endpoints. Endpoints include Oracle Databases, Middleware, Application Servers or systems that want to manage encryption keys and security artifacts centrally through Key Vault. Endpoint enrollment and provisioning can be automated by enabling protected RESTful interfaces for mass deployment on-premises or in the cloud. Key Vault is deployed in a primary and standby configuration for increased availability.

Enterprises often distribute Oracle Wallets and Java Keystores across servers and server clusters manually. Key Vault has been designed to itemize and store contents of these files in a master repository while simultaneously allowing server endpoints to continue operating disconnected from Key Vault by using local copies. Once archived, wallets and keystores can be recovered back to servers if local copies are mistakenly deleted or their passwords are forgotten thereby minimizing the risk of service disruptions from lost keys. Secure sharing of wallets also facilitates movement of encrypted data by utilizing Oracle DataPump and Oracle Transportable Tablespaces.

As an early proponent of the standard, Key Vault manages the keys using the industry standard OASIS Key Management Interoperability Protocol (KMIP), so the product can interoperate with other non-Oracle products as long as they are KMIP compliant.

Key Vault is a centralized management platform, which archives credential files in a master repository, supporting fast, easy file sharing and recovery. A browser-based management console offers point-and-click administration, simplified server enrollment and audit reports. OKV recently added hybrid cloud key management for accessing and connecting data centers to the cloud. On-premises Oracle Key Vault now also manages Oracle Advanced Security TDE master encryption keys for Oracle Databases in the Cloud including Oracle Database Cloud Service.

Hybrid Cloud Key Management is a deployment topology for cloud encryption solutions where data is encrypted in the cloud while the encryption key is managed from the on-premises Key Vault. Hybrid cloud key management enables customers to maintain control and visibility of keys used in the cloud as well as on-premises databases.

The original Key Vault package included an operating system, database, Key Vault software, and other related files. Oracle’s documentation indicates that the Key Vault environment is security hardened and the system removes unneeded software and disables unused services and ports. These security promises and features are included in all solutions.

The system also provides reports and alerts on key management activity and audits of all access to keys and keys’ lifecycle. For additional protection, the system separates administrator-level roles. Update and bug fix patches for the appliance are bundled and tested together and are generally issued every 90 days.

For databases using TDE, Key Vault centrally manages TDE master keys over a direct network connection instead of local wallet files. This direct connection eliminates operational challenges of wallet files management such as periodic password rotation, backing up wallet files and recovery from forgotten password situations. It also provides physical separation between the encryption key and encrypted data often needed in regulatory compliance.

Oracle Key Vault with TDE Keys
By allowing sharing through the endpoint access control, the master keys stored in Key Vault can be made available for decrypting tablespace keys or table keys across databases which eliminates the need for manual copy of wallets and encryption keys between servers. This method of sharing keys without local wallet copies is useful when TDE is running on database clusters like Oracle RAC. According to the website, “existing master keys used for encrypted data in Oracle databases can be easily migrated from Oracle Wallet to Oracle Key Vault as part of the initial setup.”

Many enterprises do not properly protect credential files containing SSH keys, Kerberos keytab files, and other similar credential files. Key Vault backs up credential files for long-term retention and recovery.  Key Vault can easily recover these files when needed, allows access to them and share them across trusted endpoints.

The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability and scalability. Oracle Key Vault  is packaged as an ISO image. It comes as a pre-configured and secured software appliance, which is easy to install and can be deployed on compatible x86-64 hardware of users’ choice depending on the scale of deployment.

A browser-based management console makes it easy to administer Key Vault, prepare server endpoints, securely regulate key groups, and report on access to keys. Administrator roles can be divided into key, system and audit management functions for separation of duties. Additional users with operation responsibilities for server endpoints can be granted access to their keys and wallets for ease of management. Administrators can also receive email alerts for important status updates and system activities such as upcoming password and key expiration.

Key Vault uses various Oracle database security technologies to protect keys and secrets stored inside Key Vault. For instance, Key Vault uses TDE to encrypt keys stored in the embedded Oracle database. It also uses Oracle Database Vault to restrict unauthorized user access, and it audits all critical operations including key access and key life cycle changes.

Oracle Key Vault is validated to work in real-life complex Oracle deployments that involves various Oracle technologies including Oracle Real Application Clusters (RAC), Oracle Active Data Guard, and Oracle GoldenGate. Other third-party key management solutions including Hardware Security Modules (HSM) often fail to deliver promises in such real-life complex environments..

SafeNet and Thales offer centralized key management systems as well. SafeNet, from Gemalto, offers SafeNet KeySecure,  which is available as a hardware appliance or virtual security appliance like Oracle Key Vault. Primary use cases for SafeNet KeySecure are key management for various storage encryption solutions, either disk storage, SAN or NAS storage or tape library.

Additionally, Thales keyAuthority® helps organizations ‘implement effective management of cryptographic keys by using a centralized key management appliances” that “significantly enhances security compared with native, software-based key management.” It allows organizations to “regain control over fragmented deployments of encryption or other cryptography-based applications.”

Most recently, RSA has announced the end date for their data protection manager, which includes its key management system. Several enterprises that might have utilized this source will definitely be customers seeking an experienced vendor to replace the management need.

As enterprises look for ways to protect and easily manage keys with the rising usage of encryption, a centralized management system could be a pivotally important choice. The choices are varied out there, but for experienced vendor options, Oracle Key Vault has been around for a few years and has certainly proved to continue to improve the key management market. While Key Vault was built and designed specifically for managing Oracle Advanced Security TDE master keys in complex Oracle Database deployment, it has evolved to include managing TDE master keys for MySQL, managing Oracle Wallets, Java Keystores and Credential files as well.  It has proven to be a solid, well-supported product.

Additional Resources

Oracle’s Data Sheet

Oracle’s Resource Page

FAQ for Oracle Key Vault

FAQ for Oracle Key Vault Hybrid Cloud Key Management

Lindsey Cobb

Lindsey Cobb, a Georgia native and former history major, is a technology researcher who is fascinated by past and future of technology. When she is not engrossed in the prophecy of science fiction stories, Lindsey is likely to be planning her next adventurous trip or petting every dog she meets. Contact Lindsey at [email protected]