Integration overview
Integrating Oracle Database 12c Transparent Data Encryption (TDE) with the requires the PKCS #11 (FXPKCS11) library. After configuring it, you can store the Master Encryption Key (MEK) used for TDE within the confines of a FIPS 140-2 Level 3-validated HSM (such as the ), adding a layer of protection for data at rest.
The Master Encryption Key encrypts the Oracle Table Keys, which encrypt or decrypt columns or tablespaces locally in the database. Each table has its own table key. From the client application perspective, the encryption and decryption process is transparent, so you don't need to change the existing application. We recommend that the connection between the PKCS #11 library and the be a mutually authenticated TLS connection, but we aslo support server-side authentication.
The instructions for configuring the PKCS #11 library with Oracle Database running in a Docker container cover mutual authentication using only TLS certificates.
This guide provides the required information to configure PKCS #11 with Oracle Database so that you can generate the TDE Master Encryption Key and store it on the for encrypting the Oracle Table Keys.