Encryption keys are generally stored locally with the database for performance and scalability reasons but this introduces the challenge of how to protect the encryption keys that were used for data encryption. The solution is to encrypt the local encryption keys, commonly referred to as Data Encryption Keys (DEK) with a Key Encryption Key (KEK) or Master key that resides in the HSM on Demand service key vault. This ensures that only authorized services are allowed to request the DEK to be decrypted. If an attacker steals the database, the content of the database is encrypted and inaccessible as the attacker does not have access to the HSM on Demand for Oracle TDE where the KEK is kept.
Thales Data Protection on Demand is a cloud-based platform that provides a wide range of Cloud HSM and CipherTrust Cloud Key Management services through a simple online marketplace. With Luna Cloud HSM and CipherTrust Cloud Key Management services on Data Protection on Demand ...
Configure your Oracle Standard/TDE/RAC Database to generate and secure application encryption keys using a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
TDE allows you to encrypt sensitive data in database table columns or application tablespaces. We recommend securing the columns on the Oracle database with TDE using an HSM on Demand service for the following reasons:
Secrets are data that support internal Oracle Database features that integrate external clients, such as Oracle GoldenGate, into the database.