External Master Key Storage using Hardware Security
Module
Transparent Data Encryption (TDE) was introduced in
release 10g. It can be used to encrypt column data inside
the database.
A wallet is used to store an
encryption master key which is used to encrypt the keys
which again are used to encrypt the actual data in
columns. The wallet can be located in a secure location on
disk and Oracle Net Services can be used to determine the
location of the wallet on disk. This configuration is
secure enough for most environments.
But the master key must be
kept in memory for the cryptographic operations such as
encrypting and decrypting.
A potential hacker could use various
methods to dump the memory buffers with the master key and
retrieve the master key from the dump file.
In order to further improve
protection of the master key Oracle has introduce the
possibility to store the master key on an external
hardware module called Hardware Security Module
(HSM). This is a special hardware which is attached to the
database server. The hardware vendor ships a shared
library which functions as a plug-in and must be copied to
the database server. The database uses a dedicated user
account to communicate with the hardware module.
The HSM provide storage for the
master key as well as memory for cryptographic operations
(encryption, decryption).
% The use of
Hardware Security Modules needs the extra cost Advanced
Security Option to be installed!
In order to configure the usage of an
HSM you need to issue the following command:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY
user_Id:password;
Here user_id is the identifier
for an already existing (before manually created!) Oracle
user account which is especially used for the
communication between the database and the HSM.
If you already have an existing
wallet you must add the
MIGRATE USING <wallet_password>
syntax in order to decrypt the existing column keys
and re-encrypt them with the newly created HSM related
master key:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY
user_Id:password
MIGRATE USING
<wallet_password>;
All cryptographic operations
are performed in the external hardware based storage and
the master key is never located in the database
server's memory.
The HSM is only used to encrypt the
column keys which are passed to the database afterwards.
Oracle recommends using the Advanced
Security Network Encryption Option to encrypt the traffic
between the database server and the HSM.
% The use of a
Hardware Security Module makes it possible to use the
same master key for multiple databases as
well as for multiple instances in a Real
Application Cluster (RAC).
% A Hardware
Security Module cannot be used for
tablespace encryption, encrypted exports and
encrypted RMAN backups. These functionalities
need access to the software wallet!