1 Introduction to Oracle Key Vault

Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of security objects within the enterprise.

1.1 About Oracle Key Vault and Key Management

Oracle Key Vault is a robust, secure, and standards-compliant key management platform, where you can store, manage, and share your security objects like encryption keys, Oracle wallets, Java keystores (JKS), Java Cryptography Extension keystores (JCEKS), and credential files.

Oracle Key Vault will help you deploy encryption across your enterprise quickly and efficiently. Built upon Oracle Linux and Oracle Database technology, Oracle Key Vault's centralized, available and scalable security solution will help you overcome the biggest key-management challenges facing organizations today. With Key Vault you can retain, backup, and restore your security objects, prevent their accidental loss, and manage their lifecycle in a protected environment.

Oracle Key Vault is optimized for the Oracle Stack (Database, Middleware, Systems), and Advanced Security Transparent Data Encryption (TDE).

See Also:

1.2 Benefits of Using Oracle Key Vault

Deploying Oracle Key Vault in your organization will help you:

  • Manage the key lifecycle for endpoints, which includes key creation, rotation, deactivation, and removal.

  • Prevent the loss of keys and wallets due to forgotten passwords or accidental deletion.

  • Share keys securely across authorized endpoints in the enterprise.

  • Enroll and provision endpoints easily using a single software package that contains all the necessary binaries, configuration files, and endpoint certificates for mutually authenticated connections between endpoints and Oracle Key Vault.

  • Work with other Oracle products and features in addition to TDE like: Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, and Oracle GoldenGate. Oracle Key Vault facilitates the movement of encrypted data using Oracle Data Pump and transportable tablespaces, a key feature of Oracle Database.

Figure 1-1 The Centralized Key-Management Platform of Oracle Key Vault

Description of Figure 1-1 follows
Description of "Figure 1-1 The Centralized Key-Management Platform of Oracle Key Vault "

This figure illustrates a typical deployment of Oracle Key Vault from a location central to the enterprise.

It interacts with the following components:

  • Transparent Data Encryption refers to Oracle databases protected with TDE.

  • Oracle wallets and Java keystores are containers for security objects that you upload and download between Oracle Key Vault and endpoints.

  • Other Keystore Files are security objects like certificates, and credential files like Kerberos key tab files, SSH key files, and server password files, that you upload to Oracle Key Vault from endpoints.

  • Management Console refers to the Oracle Key Vault graphical user interface, where you can log in to manage your security objects and administer the Key Vault system.

  • Appliance Backup refers to a backup device, where security objects in Oracle Key Vault can be backed up on-demand or on-schedule.

1.3 Who Should Use Oracle Key Vault?

Oracle Key Vault is meant primarily for users who are responsible for deploying, maintaining, and managing security within the enterprise. These users can be database, system, or security administrators, indeed any information security personnel responsible for protecting enterprise data in database servers, application servers, operating systems, and other information systems. They manage encryption keys, Oracle wallets, Java keystores, and other security objects on a regular basis.

Other users can include personnel responsible for Oracle databases, and servers that interact with Oracle database, because Oracle Key Vault provides inherently tighter integration with Oracle database. These systems often deploy encryption on a large scale and may have a need to simplify key and wallet management.

1.4 Major Features of Oracle Key Vault

Oracle Key Vault enhances security in key management with a set of robust features, such as centralizing the storage and management of security objects.

1.4.1 Centralized Storage and Management of Security Objects

You can store and manage the following types of security objects using Key Vault:

  • TDE master keys

    For Oracle databases that use Transparent Data Encryption (TDE), Oracle Key Vault manages TDE master keys over a direct network connection as an alternative to using local wallet files. The keys stored in Oracle Key Vault can be shared across databases according to endpoint access control settings. This method of sharing keys without local wallet copies is useful when TDE is running on database clusters such as Oracle RAC, Oracle Active Data Guard, or Oracle GoldenGate. You can easily migrate master keys from Oracle wallets to Oracle Key Vault. Direct connections between TDE and Oracle Key Vault are supported for Oracle Database 11g Release 2 and Oracle Database 12c.

  • Oracle wallets and Java keystores

    Oracle wallets and Java keystores are often widely distributed across servers and server clusters, with backup and distribution of these files performed manually. Oracle Key Vault itemizes and stores contents of these files in a master repository, yet allows server endpoints to continue operating with their local copies, while disconnected from Oracle Key Vault. After you have archived wallets and keystores, you can recover them to their servers if their local copies are mistakenly deleted or their passwords are forgotten. Oracle Key Vault streamlines the sharing of wallets across database clusters such as Oracle RAC, Oracle Active Data Guard, and Oracle GoldenGate. Sharing of wallets also facilitates the movement of encrypted data using Oracle Data Pump and the transportable tablespaces feature of Oracle Database. You can use Oracle Key Vault with Oracle wallets from all supported releases of Oracle middleware products and Oracle Database.

  • Credential files

    Applications store keys, passwords, and other types of sensitive information in credential files, that are often widely distributed without appropriate protective mechanisms. Secure Shell (SSH) key files and Kerberos keytabs are examples of credential files. Oracle Key Vault backs up credential files for long-term retention and recovery, audits access to them, and shares them across trusted server endpoints.

  • Certificate files

    X.509 certificate files (common file extensions include .pem, .cer, .crt, .der, .p12) used to authenticate and validate user identities, and encrypt data on communication channels may also be stored, shared, and managed in Oracle Key Vault.

1.4.2 Management of Key Lifecycle

The management of the key lifecycle is critical for maintaining security and regulatory compliance, and consists of four main functions: creation, backup, rotation, and expiration.

Oracle Key Vault provides mechanisms for facilitating periodic key rotations, backup, and recovery, which ensure that customers stay in regulatory compliance, unlike most systems that create keys and passwords, including TDE. You can create policies to track the key lifecycle, and configure Oracle Key Vault to report key lifecycle changes as they happen. In this way you will know when keys are due to expire, and can ensure that they are properly rotated and backed up.

Key lifecycle tracking is very important to maintain compliance with industry and governmental standards, such as the Payment Card Industry Data Security Standard (PCI DSS) which deal with highly sensitive data, and therefore have stringent requirements regarding the maximum lifetime of encryption keys and passwords.

1.4.3 Reporting and Alerts

Oracle Key Vault provides a comprehensive, and in-depth view of system activity in the form of reports and alerts.

  • Reports

    Oracle Key Vault provides a set of audit and management reports with detailed statistics on system, user, and endpoint activity, certificate, key and password expiry, entitlement and metadata of security objects. Audit reports capture all user and endpoint actions, the objects of the actions, and their final result.

  • Alerts

    You can configure the types of alerts you want to receive. These include alerts for the expiration of keys, endpoint certificates, and user passwords, disk utilization, system backup, and high availability events. You can choose to send alerts to syslog to allow for external monitoring.

1.4.4 Separation of Duties for Oracle Key Vault Users

Oracle Key Vault provides for a separation of duties in the form of three user roles: Key Administrator, System Administrator, and Audit Manager.

Each user role possesses privileges for a type of task and may be assigned singly to one user (for a strict separation of duties) or combined so a single user performs multiple user roles according to the needs of the organization. The user who is responsible for uploading and downloading security objects between Oracle Key Vault and the endpoint is referred to as the endpoint administrator. Only endpoint administrators can directly access security objects provided they have been granted access and only through installing the endpoint software. Security objects cannot be retrieved via the web-based GUI.

1.4.5 Support for a High Availability Environment

To ensure that Oracle Key Vault can always access security objects, Oracle Key Vault can be deployed in a highly available configuration. This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault appliances in a high availability configuration. The primary appliance services the requests that come from endpoints. If the primary appliance fails, then the standby appliance takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

Oracle Key Vault uses Oracle Data Guard to synchronize data between the primary and standby nodes in a high availability deployment.

1.4.6 Persistent Master Key Cache

The persistent master key cache feature enables databases to be operational when the Oracle Key Vault server is unavailable for any reason. The TDE master key is cached in the persistent master key cache in addition to the in-memory cache, to make the master key available across database processes. It eliminates the need for databases to contact the Oracle Key Vault server for every new process, redo log switch, or database startup.

1.4.7 Backup and Restore Functionality for Security Objects

Oracle Key Vault enables you to back up all security objects including keys, certificates, and passwords. It encrypts backups for better protection of the sensitive keys and security objects and supports storing them securely at a remote destination.

This feature prevents loss of your sensitive data in the case of appliance failure, because you can restore a new Oracle Key Vault appliance to a previous state from a backup.

Oracle Key Vault can transfer backup files to any remote location that implements the Secure Copy Protocol (SCP).

Users with the System Administrator role can perform the following backup and restore tasks in Oracle Key Vault:

  • Create, delete, and modify remote backup locations.

  • Set up, modify, or disable the current backup schedule.

  • Initiate an immediate one-time backup.

  • Schedule a future one-time backup.

Oracle Key Vault performs hot backup which means that the system is not interrupted while the backup is being created.

1.4.8 Automation of Endpoint Enrollment Using Protected RESTful Services

The RESTful Services utility is an automation tool that enables you to quickly enroll and provision endpoints and endpoint groups at scale. Automation reduces the multiple steps of enrolling and provisioning endpoints to a single function call at the command line. This is useful for administrators of large distributed enterprise systems, who might need to enroll and provision many hundreds of endpoints simultaneously using the protective security measures of RESTful services.

1.4.9 Support for OASIS Key Management Interoperability Protocol (KMIP)

OASIS Key Management Interoperability Protocol (KMIP) standardizes key management operations between key management servers and endpoints provided by different vendors.

Oracle Key Vault implements the following OASIS KMIP Version 1.1 profiles:

  • Basic Discover Versions Server Profile: Provides the server version to endpoints.

  • Basic Baseline Server KMIP Profile: Provides core functionality to retrieve objects from the server.

  • Basic Secret Data Server KMIP Profile: Provides endpoints the ability to create, store, and retrieve secret data (typically passwords) on the server.

  • Basic Symmetric Key Store and Server KMIP Profile: Provides endpoints the ability to store and retrieve symmetric encryption keys on the server.

  • Basic Symmetric Key Foundry and Server KMIP Profile: Provides endpoints the ability to create new symmetric encryption keys on the server.

See Also:

http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.html for information about the OASIS KMIP specification

1.4.10 Database Version and Platform Support

Oracle Key Vault supports Oracle Database versions 11g Release 2 and later on Oracle Linux x86-64, Solaris, AIX, and HP-UX (IA) as endpoints without patching. Oracle Key Vault also supports Oracle Database versions 11g Release 2 (BP 9 and later) and 12c Release 1 ( on Windows Server 2008 and Windows Server 2012.

1.4.11 Integration with External Audit and Monitoring Services

Oracle Key Vault supports integration with Oracle Audit Vault and Database Firewall for central storage of audit records generated. Oracle Key Vault also supports use of SNMP v3 to monitor the health and availability of the system.

1.4.12 MySQL Integration with Oracle Key Vault

Oracle Key Vault can manage MySQL TDE encryption keys.


MySQL Windows databases are not supported.

1.5 Oracle Key Vault Interfaces

Oracle Key Vault provides two interfaces: a management console and an endpoint command-line utility for uploading and retrieving security objects.

  • Oracle Key Vault management console

    The Oracle Key Vault management console is a browser-based graphical user interface, that enables Oracle Key Vault administrators to manage security objects, wallets, endpoints, and users, and to configure system settings like high availability, backup, and recovery.

  • Oracle Key Vault okvutil endpoint utility

    The okvutil command-line utility enables endpoint administrators to upload and download security objects between Oracle Key Vault and endpoints. The okvutil utility communicates with Oracle Key Vault over a mutually authenticated secure connection.

1.6 Overview of a Successful Oracle Key Vault Deployment

You can use the following steps as a guideline to deploying Oracle Key Vault successfully within your organization:

  1. Understand key concepts described in Chapter 2, Concepts.

  2. Install and configure Oracle Key Vault as outlined in Chapter 3, Oracle Key Vault Installation and Configuration.

  3. Create a high availability configuration by adding a second Key Vault appliance. Enable High Availability Read-Only Restricted mode to ensure operational continuity of the endpoints. This is described in Chapter 4, High Availability, Backup and Restore.


    You must have a separate license for each Oracle Key Vault server installation in a high availability environment.

  4. Create users to manage the day-to-day tasks for Oracle Key Vault as described in Chapter 5, Managing Oracle Key Vault Users.

  5. Upload or add virtual wallets to Oracle Key Vault described in Chapter 6, Managing Oracle Key Vault Virtual Wallets and Security Objects.

  6. Add endpoints so that they can use Oracle Key Vault to store and manage their security objects described in Chapter 7, Managing Oracle Key Vault Endpoints.

  7. Add endpoints in the cloud described in Chapter 9, Oracle Cloud Database as a Service Endpoints.

  8. Enroll endpoints so that you can upload or download security objects between the endpoints and Oracle Key Vault described in Chapter 8, Enrolling Endpoints for Oracle Key Vault.

  9. Read about automating endpoint enrollment and provisioning for large-scale enterprise deployments in Chapter 10, Endpoint Enrollment Automation with RESTful Services.

  10. Read about typical use cases described in Chapter 11, Oracle Key Vault Use Case Scenarios.

  11. Learn how to perform periodic maintenance tasks like administering and monitoring the system described in Chapter 12, General Oracle Key Vault Management.