Database

Oracle Database TDE

4min

This document provides information about integrating the Futurex KMES Series 3 with Oracle Database 19c Transparent Data Encryption (TDE) by using Futurex PKCS #11 libraries. For other questions about the KMES Series 3, see the relevant user guide.

About Oracle TDE

From the Oracle documentation website: Transparent data encryption (TDE) enables you to encrypt sensitive data, such as credit card numbers, stored in table columns. Encrypted data is transparently decrypted for database users with access. TDE helps protect data stored on media in case the storage media or data file gets stolen.

Oracle Database 19C TDE Integration

Integrating Oracle Database 19c Transparent Data Encryption (TDE) with the KMES Series 3 requires the Futurex PKCS #11 (FXPKCS11) library. After configuration, you can store the Master Encryption Key (MEK) used for TDE in a FIPS 140-2 Level 3-validated HSM (such as the KMES Series 3), adding a layer of protection for data-at-rest.

The master encryption key encrypts the Oracle table keys, which encrypt or decrypt columns or table spaces locally in the database. Each table has its own table key. From the client application perspective, the encryption and decryption process is transparent, so you don't need to modify the existing application.

The connection between the Futurex PKCS #11 library and the KMES Series 3 should be a mutually authenticated TLS connection. To do this, you must create TLS/SSL certificates (using OpenSSL and a CA on the KMES), providing certificates for both the KMES Host API connection pair and the Oracle Database instance where the FXPKCS11 library runs. By configuring Futurex PKCS #11 with Oracle Database, you can generate the TDE master encryption key and store it on the KMES Series 3 for encrypting the Oracle Table Keys.

Integration overview

This guide shows you how to configure the Futurex PKCS #11 library to serve as an interface for Oracle TDE to connect to a KMES Series 3 HSM wallet, based on: https://docs.oracle.com/en/database/oracle/oracle-database/19/asoag/configuring-transparent-data-encryption.html

To complete the integration, perform the following tasks:

  1. Configure the Futurex PKCS #11 library in Oracle.
  2. Configure the KMES Series 3.
  3. Edit the Futurex PKCS #11 configuration file.
  4. Generate a TDE master encryption key on the KMES Series 3.
  5. Open the wallet or hardware keystore.

The following sections show you how to perform these tasks.

Updated 10 Jul 2024
Did this page help you?
PREVIOUS
Enable and test TDE in MySQL Workbench
NEXT
Before you start
Docs powered by Archbee