1 Getting Started with HSM

To integrate a hardware security module (HSM) with Oracle Key Vault, you must install the HSM and enroll Key Vault as an HSM client.

• How Oracle Key Vault Works with Hardware Security Modules
  This guide explains how to configure Oracle Key Vault to use a supported hardware security module (HSM).
• Installing the HSM Client Software on an Oracle Key Vault Server
  After you install Oracle Key Vault, you can install the HSM client software on the Oracle Key Vault server.
• Enrolling Oracle Key Vault as a Client of the HSM
  You must enroll Oracle Key Vault as a client of HSM and ensure connectivity between the HSM client and the HSM.

1.1 How Oracle Key Vault Works with Hardware Security Modules

This guide explains how to configure Oracle Key Vault to use a supported hardware security module (HSM).

An HSM contains tamper-resistant, specialized hardware that is harder to access than normal server memory. Your site may require the use of an HSM to be directly connected to an Oracle or a MySQL database for encryption key management. With the number of databases and load toward HSMs increasing, it has become clear that only an enterprise-grade key manager can handle this load. Configuring an Oracle Key Vault cluster to operate between Transparent Data Encryption (TDE)-enabled databases and HSMs enables a key manager to efficiently handle this type of load.

Oracle Key Vault is a full-stack software appliance that contains an operating system, database, and key-management application to help organizations store and manage their keys and credentials. The configuration that you perform using this guide also establishes a Root-of-Trust (RoT) for Oracle Key Vault in the HSM. When an HSM is deployed with Oracle Key Vault, the Root of Trust (RoT) remains in the HSM. The HSM RoT protects the wallet password, which protects the TDE master key,which in turn protects all the encryption keys, certificates, and other security artifacts managed by the Oracle Key Vault server. Note that the HSM in this RoT usage scenario does not store any customer encryption keys. The customer keys are stored and managed directly by the Oracle Key Vault server.

Using HSM as a RoT is intended to mitigate attempts to recover keys from an Oracle Key Vault server which has been started in an unauthorized environment. Physical loss of an Oracle Key Vault server from a facility is one example of such a scenario. An unauthorized user attempting to run a lost or stolen Oracle Key Vault server, without authorized access to the HSM,would be prevented from recovering the encryption keys stored on the appliance.

Oracle Key Vault employs a hierarchy of security controls including operating system hardening, database encryption, and data access enforcement using Database Vault. These controls are designed to mitigate the risk of users potentially extracting keys and credentials from systems they can physically access. Administrators do not need to access the internal components of the appliance for normal, day-to-day operations. Oracle Key Vault should be deployed in a secure location, and physical and logical access to the appliance should be controlled and monitored.

If your site uses HSMs from SafeNet, nCipher (a Thales company), and Utimaco, then you can configure these HSM products with Oracle Key Vault in standalone, primary-standby, and multi-master environments.

This guide assumes that you have installed and configured Oracle Key Vault. It also assumes that you have sufficient knowledge of the of the HSM products that you plan to configure.

The general process that you must follow to configure the HSM with Oracle Key Vault is as follows:

1. Install the HSM client software on the Oracle Key Vault server.
2. Enroll Oracle Key Vault as a client of the HSM.
3. Perform further configuration operations, which are as follows:
   • Configure protection for the TDE master encryption key with the HSM.
   • Enable the HSM in a primary-standby Oracle Key Vault installation.
   • Configure the HSM in an multi-master cluster environment.
   • Perform backup and restore operations in an HSM-enabled Oracle Key Vault instance.
   • When necessary, perform reverse migration operations to a local wallet.

1.2 Installing the HSM Client Software on an Oracle Key Vault Server

After you install Oracle Key Vault, you can install the HSM client software on the Oracle Key Vault server.

1. Ensure that the vendor's software includes a PKCS#11 library.
   Refer to the HSM documentation from the HSM vendor for more information.
2. Install the HSM vendor's client software on the Oracle Key Vault server.
   You can install SafeNet, nCipher, Thales, or Utimacoor HSM products.

1.3 Enrolling Oracle Key Vault as a Client of the HSM

You must enroll Oracle Key Vault as a client of HSM and ensure connectivity between the HSM client and the HSM.

1. Install the HSM vendor's client software on the Oracle Key Vault server.
2. Ensure that the HSM client software can communicate from Oracle Key Vault to the HSM.