1.1.3 Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving Oracle Key Vault.
This restriction applies to the key material of the symmetric keys, but not its metadata. For example, Transparent Database Encryption (TDE) master encryption keys are stored in Oracle Key Vault. When an endpoint needs to decrypt the key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the PKCS#11 library will send the encrypted data encryption key to Oracle Key Vault. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. The Oracle Key Vault PKCS#11 library performs the encryption and decryption operation within Oracle Key Vault if the TDE master key is restricted to leave Oracle Key Vault, or if it cannot be extracted from Oracle Key Vault.
To control whether symmetric encryption keys can be retrieved (extracted) from Oracle Key Vault, you can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs.
New APIs for the C SDK to manage extractable attribute:
okvAttrAddExtractableokvAttrAddNeverExtractableokvAttrGetExtractableokvAttrGetNeverExtractable
New APIs for the Java SDK to manage extractable attribute:
okvAttrAddExtractableokvAttrAddNeverExtractableokvAttrGetExtractableokvAttrGetNeverExtractable