1 Getting Started with HSM
To integrate a hardware security module (HSM) with Oracle Key Vault, you must install the HSM client software and enroll Oracle Key Vault as an HSM client.
- How Oracle Key Vault Works with Hardware Security Modules
This guide explains how to configure Oracle Key Vault to use a supported hardware security module (HSM). - Installing the HSM Client Software on an Oracle Key Vault Server
After you install Oracle Key Vault, you can install the HSM client software on the Oracle Key Vault server. - Enrolling Oracle Key Vault as a Client of the HSM
You must enroll Oracle Key Vault as a client of HSM and ensure connectivity between the HSM client and the HSM.
1.1 How Oracle Key Vault Works with Hardware Security Modules
This guide explains how to configure Oracle Key Vault to use a supported hardware security module (HSM).
A hardware security module (HSM) contains tamper-resistant, specialized hardware that is designed to protect security objects stored within the HSM. HSMs are physical computing devices that safeguard and manage digital keys, and provide cryptographic processing for clients. HSMs do not usually allow security objects to leave the cryptographic boundary of the HSM.
Oracle Key Vault is a key management platform designed to securely store, manage and share security objects. Unlike an HSM, Oracle Key Vault allows trusted clients to retrieve security objects like decryption keys. Oracle Key Vault is a full-stack software appliance that contains an operating system, database, and key-management application. Oracle Key Vault is designed to help organizations store and manage their keys and credentials.
Your organization may require the use of an HSM to protect encryption keys. Because they are designed to not allow keys to leave the cryptographic boundary of the HSM, in most cases it is not practical to connect databases directly to an HSM. Instead, databases will connect to the Oracle Key Vault which will in turn be protected by the HSM. This configuration establishes a Root-of-Trust (RoT) for Oracle Key Vault in the HSM. When an HSM is deployed with Oracle Key Vault, the RoT remains in the HSM. The HSM RoT protects the Transparent Data Encryption (TDE) wallet password, which protects the TDE master key, which in turn protects all the encryption keys, certificates, and other security artifacts managed by the Oracle Key Vault server. Note that the HSM in this RoT usage scenario does not store any customer encryption keys. The customer keys are stored and managed directly by the Oracle Key Vault server.
Using HSM as a RoT is intended to mitigate attempts to recover keys from an Oracle Key Vault server which has been started in an unauthorized environment. Physical theft of the disk images that represent an Oracle Key Vault server that runs as a virtualization guest is one example of such a scenario. An unauthorized user attempting to run a stolen Oracle Key Vault server, without authorized access to the HSM, would be prevented from recovering the encryption keys stored on the appliance.
Oracle Key Vault employs a hierarchy of security controls including operating system hardening, database encryption, and data access enforcement using Database Vault. These controls are designed to mitigate the risk of users potentially extracting keys and credentials from systems they can physically access. Administrators do not need to access the internal components of the appliance for normal, day-to-day operations. Therefore, you should disable Secure Shell Protocol (ssh
) access into Oracle Key Vault at all times, except when you must apply quarterly release upgrades. Oracle Key Vault should be deployed in a secure location, and physical and logical access to the appliance should be controlled and monitored.
You can configure HSM with Oracle Key Vault in standalone, primary-standby, and multi-master environments. If your HSM vendor meets the requirements, then you and the vendor can configure the vendor's HSM to work with Oracle Key Vault. If your site uses HSMs from Thales (formerly SafeNet Luna), Entrust (formerly nCipher), or Utimaco, then you can configure these HSMs using the instructions provided in vendor specific notes for Thales, Entrust, or Utimaco. However, starting Oracle Key Vault 21.8, usage of Thales, Entrust, or Utimaco vendor specific configuration and notes is deprecated. To establish a Root-of-Trust for Oracle Key Vault in the HSM, you should use instructions provided by the HSM vendor.
This guide assumes that you have installed and configured Oracle Key Vault. It also assumes that you have sufficient knowledge of the HSM that you plan to configure.
The general process that you must follow to configure the HSM with Oracle Key Vault is as follows:
- Install the HSM client software on the Oracle Key Vault server and perform any necessary configurations that the HSM may need.
- Enroll Oracle Key Vault as a client of the HSM.
- Perform further configuration operations, which are as follows:
- Configure protection for the TDE master encryption key with the HSM.
- Use an HSM in a primary-standby Oracle Key Vault installation.
- Use an HSM in an Oracle Key Vault multi-master cluster environment.
- Perform backup and restore operations in an HSM-enabled Oracle Key Vault instance.
- When necessary, perform reverse-migration so that the Oracle Key Vault environment is no longer HSM-enabled.
Parent topic: Getting Started with HSM
1.2 Installing the HSM Client Software on an Oracle Key Vault Server
After you install Oracle Key Vault, you can install the HSM client software on the Oracle Key Vault server.
Related Topics
- Installing the HSM Client Software on the Oracle Key Vault Server for Thales
- Installing the HSM Client Software on the Oracle Key Vault Server for Entrust
- Installing the HSM Client Software on the Oracle Key Vault Server for Utimaco
- Vendor Instructions for Integrating an HSM as the Root of Trust for Oracle Key Vault
Parent topic: Getting Started with HSM
1.3 Enrolling Oracle Key Vault as a Client of the HSM
You must enroll Oracle Key Vault as a client of HSM and ensure connectivity between the HSM client and the HSM.
Ensure that the HSM vendor has provided instructions for enrolling Oracle Key Vault as a client of the HSM.
- Install the HSM vendor's client software on the Oracle Key Vault server.
- Ensure that the HSM client software can communicate from Oracle Key Vault to the HSM.
Related Topics
Parent topic: Getting Started with HSM