Encryption keys are generally stored locally with the database for performance and scalability reasons but this introduces the challenge of how to protect the encryption keys that were used for data encryption. The solution is to encrypt the local encryption keys, commonly referred to as Data Encryption Keys (DEK) with a Key Encryption Key (KEK) or Master key that resides in the HSM On Demand service key vault. This ensures that only authorized services are allowed to request the DEK to be decrypted. If an attacker steals the database, the content of the database is encrypted and inaccessible as the attacker does not have access to the HSM On Demand for Oracle TDE where the KEK is kept.
Thales Data Protection on Demand is a cloud-based platform that provides a wide range of Cloud HSM and CipherTrust Cloud Key Management services through a simple online marketplace. With Luna Cloud HSM and CipherTrust Cloud Key Management services on Data Protection on Demand ...