Cloud-based HSM service for secure storage of Oracle TDE encryption keys
Encryption keys are generally stored locally with the database for performance and scalability reasons but this introduces the challenge of how to protect the encryption keys that were used for data encryption. The solution is to encrypt the local encryption keys, commonly referred to as Data Encryption Keys (DEK) with a Key Encryption Key (KEK) or Master key that resides in the HSM On Demand service key vault. This ensures that only authorized services are allowed to request the DEK to be decrypted. If an attacker steals the database, the content of the database is encrypted and inaccessible as the attacker does not have access to the HSM On Demand for Oracle TDE where the KEK is kept.
Key Features
- Oracle TDE data encryption keys are encrypted with a master key
- HSM On Demand service key vault ensures protection of Master key
- Only authorized services are allowed to request the DEK to be decrypted
- Encrypt local encryption keys (DEK) with Key Encryption Key (KEK)
Benefits
- Optimal performance
- Scalable solution
- Fully automated service orchestration
- Focus on your business, not managing security hardware and software