Changes in This Release for Oracle Key Vault
This Oracle Key Vault release introduces new features that enhance the use of Oracle Key Vault in a large enterprise.
- Changes for Oracle Key Vault Release 21.6
Oracle Key Vault release 21.6 introduces new features that affect this guide. - Changes for Oracle Key Vault Release 21.4
Oracle Key Vault release 21.4 introduces new features that affect this guide. - Changes for Oracle Key Vault Release 21.2
Oracle Key Vault release 21.2 introduces new features that are related to installation and upgrade operations.
Changes for Oracle Key Vault Release 21.6
Oracle Key Vault release 21.6 introduces new features that affect this guide.
- Ability to Clone an Oracle Key Vault VM
Starting with Oracle Key Vault 21.6, a fresh installation of an Oracle Key Vault VM guest can be stored as atemplate, and the VM platform cloning capability can be used to clone Oracle Key Vault cluster nodes. - Ability to support Oracle Linux 8
Starting with Oracle Key Vault release 21.6, the embedded operating system in Oracle Key Vault is upgraded to support Oracle Linux 8.
Parent topic: Changes in This Release for Oracle Key Vault
Ability to Clone an Oracle Key Vault VM
Starting with Oracle Key Vault 21.6, a fresh installation of an Oracle Key
Vault VM guest can be stored as a template, and the VM platform cloning
capability can be used to clone Oracle Key Vault cluster nodes.
Starting with Oracle Key Vault release 21.6, creating an Oracle Key Vault cluster, using the cloned template, the system administrator can significantly shorten the provisioning time, compared to performing a full installation of each individual cluster node.
Oracle Key Vault supports the cloning feature of the underlying virtualization platform. This eliminates the need to go through the full installation process for each individual cluster node. You can clone an Oracle Key Vault system (installed as a VM) after the installation is complete, but before performing post-installation tasks. When a clone is started up for the first time, it goes through a series of steps to regenerate system-specific configuration that makes it unique (and separate from all other clones). The (remote) cloning capability provided by virtualization platforms allows to clone from an Oracle Key Vault Template, which is an Oracle Key Vault installation that is stopped before this Oracle Key Vault is made unique. It regenerates all of the system-specific configuration; the clone becomes unique by completing the remaining installation steps.
Parent topic: Changes for Oracle Key Vault Release 21.6
Ability to support Oracle Linux 8
Starting with Oracle Key Vault release 21.6, the embedded operating system in Oracle Key Vault is upgraded to support Oracle Linux 8.
In Oracle Key Vault release 21.6, the embedded operating system is upgraded to Oracle Linux 8.
Before attempting an Oracle Key Vault upgrade confirm with your vendor that your Oracle Key Vault servers (for installations on dedicated hardware) are compatible with Oracle Linux 8 .
Parent topic: Changes for Oracle Key Vault Release 21.6
Changes for Oracle Key Vault Release 21.4
Oracle Key Vault release 21.4 introduces new features that affect this guide.
- Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving the Oracle Key Vault cluster boundary. - Ability to Restrict Oracle Key Vault Administrative Role Grants
Starting in Oracle Key Vault release 21.4, you can control whether a grantee of an Oracle Key Vault administrative role can grant the role to other Oracle Key Vault users.
Parent topic: Changes in This Release for Oracle Key Vault
Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving the Oracle Key Vault cluster boundary.
This restriction applies to the key material of the symmetric keys, but not its metadata. For example, Transparent Database Encryption (TDE) master encryption keys are stored in Oracle Key Vault. When an endpoint needs to decrypt the key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the PKCS#11 library will send the encrypted data encryption key to Oracle Key Vault. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. The Oracle Key Vault PKCS#11 library performs the encryption and decryption operation within Oracle Key Vault if the TDE master encryption key is restricted to leave Oracle Key Vault, or if it cannot be extracted from Oracle Key Vault.
To control whether symmetric encryption keys can be retrieved (extracted) from Oracle Key Vault, you can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs.
The following Oracle Key Vault RESTful services utility commands have been updated to accommodate this enhancement:
okv managed-object attribute getokv managed-object attribute get-allokv managed-object attribute listokv managed-object attribute modifyokv managed-object key createokv managed-object key registerokv managed-object object locate
New APIs for the C SDK to manage extractable attribute:
okvAttrAddExtractableokvAttrAddNeverExtractableokvAttrGetExtractableokvAttrGetNeverExtractable
New APIs for the Java SDK to manage extractable attribute:
okvAttrAddExtractableokvAttrAddNeverExtractableokvAttrGetExtractableokvAttrGetNeverExtractable
Ability to Restrict Oracle Key Vault Administrative Role Grants
Starting in Oracle Key Vault release 21.4, you can control whether a grantee of an Oracle Key Vault administrative role can grant the role to other Oracle Key Vault users.
In previous releases, the Oracle Key Vault administrative roles (System Administrator, Key Administrator, and Audit Manager) could be granted to another Oracle Key Vault user by any user who currently has the role. Starting with this release, when an administrator grants the role to another user, the administrator can restrict how the grantee user can in turn grant the role to other users. This enhancement improves overall user security and helps to adhere to good least privileges practices.
Related Topics
Parent topic: Changes for Oracle Key Vault Release 21.4
Changes for Oracle Key Vault Release 21.2
Oracle Key Vault release 21.2 introduces new features that are related to installation and upgrade operations.
- Changes in the Oracle Key Vault Management Console
In Oracle Key Vault release 21.2, the Oracle Key Vault management console user interface has had minor changes throughout.
Parent topic: Changes in This Release for Oracle Key Vault
Changes in the Oracle Key Vault Management Console
In Oracle Key Vault release 21.2, the Oracle Key Vault management console user interface has had minor changes throughout.
These changes are the result of modified terms, updates to the current release, and enhancements for better usability. The overall interface has not had major changes.
Parent topic: Changes for Oracle Key Vault Release 21.2