Changes in This Release for Oracle Key Vault

This Oracle Key Vault release introduces new features that enhance the use of Oracle Key Vault in a large enterprise.

• Changes for Oracle Key Vault Release 21.4
  Oracle Key Vault release 21.4 introduces new features that affect this guide.
• Changes for Oracle Key Vault Release 21.2
  Oracle Key Vault release 21.2 introduces new features that are related to installation and upgrade operations.

Changes for Oracle Key Vault Release 21.4

Oracle Key Vault release 21.4 introduces new features that affect this guide.

• Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
  Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving the Oracle Key Vault cluster boundary.
• Ability to Restrict Oracle Key Vault Administrative Role Grants
  Starting in Oracle Key Vault release 21.4, you can control whether a grantee of an Oracle Key Vault administrative role can grant the role to other Oracle Key Vault users.

Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault

Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving the Oracle Key Vault cluster boundary.

This restriction applies to the key material of the symmetric keys, but not its metadata. For example, Transparent Database Encryption (TDE) master encryption keys are stored in Oracle Key Vault. When an endpoint needs to decrypt the key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the PKCS#11 library will send the encrypted data encryption key to Oracle Key Vault. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. The Oracle Key Vault PKCS#11 library performs the encryption and decryption operation within Oracle Key Vault if the TDE master encryption key is restricted to leave Oracle Key Vault, or if it cannot be extracted from Oracle Key Vault.

To control whether symmetric encryption keys can be retrieved (extracted) from Oracle Key Vault, you can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs.

The following Oracle Key Vault RESTful services utility commands have been updated to accommodate this enhancement:

• okv managed-object attribute get
• okv managed-object attribute get-all
• okv managed-object attribute list
• okv managed-object attribute modify
• okv managed-object key create
• okv managed-object key register
• okv managed-object object locate

New APIs for the C SDK to manage extractable attribute:

• okvAttrAddExtractable
• okvAttrAddNeverExtractable
• okvAttrGetExtractable
• okvAttrGetNeverExtractable

New APIs for the Java SDK to manage extractable attribute:

• okvAttrAddExtractable
• okvAttrAddNeverExtractable
• okvAttrGetExtractable
• okvAttrGetNeverExtractable

Ability to Restrict Oracle Key Vault Administrative Role Grants

Starting in Oracle Key Vault release 21.4, you can control whether a grantee of an Oracle Key Vault administrative role can grant the role to other Oracle Key Vault users.

In previous releases, the Oracle Key Vault administrative roles (System Administrator, Key Administrator, and Audit Manager) could be granted to another Oracle Key Vault user by any user who currently has the role. Starting with this release, when an administrator grants the role to another user, the administrator can restrict how the grantee user can in turn grant the role to other users. This enhancement improves overall user security and helps to adhere to good least privileges practices.

Changes for Oracle Key Vault Release 21.2

Oracle Key Vault release 21.2 introduces new features that are related to installation and upgrade operations.

• Changes in the Oracle Key Vault Management Console
  In Oracle Key Vault release 21.2, the Oracle Key Vault management console user interface has had minor changes throughout.

Changes in the Oracle Key Vault Management Console

In Oracle Key Vault release 21.2, the Oracle Key Vault management console user interface has had minor changes throughout.

These changes are the result of modified terms, updates to the current release, and enhancements for better usability. The overall interface has not had major changes.