1 Getting Started with HSM

To integrate a hardware security module (HSM) with Oracle Key Vault, you must install the HSM client software and enroll Oracle Key Vault as an HSM client.

1.1 How Oracle Key Vault Works with Hardware Security Modules

This guide explains how to configure Oracle Key Vault to use a supported hardware security module (HSM).

A hardware security module (HSM) contains tamper-resistant, specialized hardware that is designed to protect security objects stored within the HSM. HSMs are physical computing devices that safeguard and manage digital keys, and provide cryptographic processing for clients. HSMs do not usually allow security objects to leave the cryptographic boundary of the HSM.

Oracle Key Vault is a key management platform designed to securely store, manage and share security objects. Unlike an HSM, Oracle Key Vault allows trusted clients to retrieve security objects like decryption keys. Oracle Key Vault is a full-stack software appliance that contains an operating system, database, and key-management application. Oracle Key Vault is designed to help organizations store and manage their keys and credentials.

Your organization may require the use of an HSM to protect encryption keys. Because they are designed to not allow keys to leave the cryptographic boundary of the HSM, in most cases it is not practical to connect databases directly to an HSM. Instead, databases will connect to the Oracle Key Vault which will in turn be protected by the HSM. This configuration establishes a Root-of-Trust (RoT) for Oracle Key Vault in the HSM. When an HSM is deployed with Oracle Key Vault, the RoT remains in the HSM. The HSM RoT protects the Transparent Data Encryption (TDE) wallet password, which protects the TDE master key, which in turn protects all the encryption keys, certificates, and other security artifacts managed by the Oracle Key Vault server. Note that the HSM in this RoT usage scenario does not store any customer encryption keys. The customer keys are stored and managed directly by the Oracle Key Vault server.

Using HSM as a RoT is intended to mitigate attempts to recover keys from an Oracle Key Vault server which has been started in an unauthorized environment. Physical loss of an Oracle Key Vault server from a facility is one example of such a scenario. An unauthorized user attempting to run a lost or stolen Oracle Key Vault server, without authorized access to the HSM, would be prevented from recovering the encryption keys stored on the appliance.

Oracle Key Vault employs a hierarchy of security controls including operating system hardening, database encryption, and data access enforcement using Database Vault. These controls are designed to mitigate the risk of users potentially extracting keys and credentials from systems they can physically access. Administrators do not need to access the internal components of the appliance for normal, day-to-day operations. Oracle Key Vault should be deployed in a secure location, and physical and logical access to the appliance should be controlled and monitored.

If your site uses HSMs from SafeNet, nCipher (a Thales company), or Utimaco, then you can configure these HSM products with Oracle Key Vault in standalone, primary-standby, and multi-master environments.

This guide assumes that you have installed and configured Oracle Key Vault. It also assumes that you have sufficient knowledge of the of the HSM products that you plan to configure.

The general process that you must follow to configure the HSM with Oracle Key Vault is as follows:

  1. Install the HSM client software on the Oracle Key Vault server.
  2. Enroll Oracle Key Vault as a client of the HSM.
  3. Perform further configuration operations, which are as follows:
    • Configure protection for the TDE master encryption key with the HSM.
    • Use an HSM in a primary-standby Oracle Key Vault installation.
    • Use an HSM in an Oracle Key Vault multi-master cluster environment.
    • Perform backup and restore operations in an HSM-enabled Oracle Key Vault instance.
    • When necessary, perform reverse-migration so that the Oracle Key Vault environment is no longer HSM-enabled.

1.2 Installing the HSM Client Software on an Oracle Key Vault Server

After you install Oracle Key Vault, you can install the HSM client software on the Oracle Key Vault server.

  1. Ensure that the vendor's software includes a PKCS#11 library.
    Refer to the HSM documentation from the HSM vendor for more information.
  2. Install the HSM vendor's client software on the Oracle Key Vault server.
    You can install SafeNet, nCipher, or Utimaco HSM products.

1.3 Enrolling Oracle Key Vault as a Client of the HSM

You must enroll Oracle Key Vault as a client of HSM and ensure connectivity between the HSM client and the HSM.

  1. Install the HSM vendor's client software on the Oracle Key Vault server.
  2. Ensure that the HSM client software can communicate from Oracle Key Vault to the HSM.