Oracle Database TDE

this document provides information about integrating the {{k3}} with oracle database 19c transparent data encryption (tde) by using {{futurex}} pkcs #11 libraries for other questions about the {{k3}} , see the relevant user guide about oracle tde from the oracle documentation website transparent data encryption (tde) enables you to encrypt sensitive data, such as credit card numbers, stored in table columns encrypted data is transparently decrypted for database users with access tde helps protect data stored on media if the storage media or data file gets stolen oracle database 19c tde integration integrating oracle database 19c transparent data encryption (tde) with the {{k3}} requires the {{futurex}} pkcs #11 (fxpkcs11) library after configuration, you can store the master encryption key (mek) used for tde in a fips 140 2 level 3 validated hsm (such as the {{k3}} ), adding a layer of protection for data at rest the master encryption key encrypts the oracle table keys, which encrypt or decrypt columns or table spaces locally in the database each table has its own table key from the client application perspective, the encryption and decryption process is transparent, so you don't need to modify the existing application the connection between the {{futurex}} pkcs #11 library and the {{k3}} should be a mutually authenticated tls connection to do this, you must create tls/ssl certificates (using openssl and a ca on the {{k}} ), providing certificates for both the {{k}} host api connection pair and the oracle database instance where the fxpkcs11 library runs by configuring futurex pkcs #11 with oracle database, you can generate the tde master encryption key and store it on the {{k3}} for encrypting the oracle table keys integration overview this guide shows you how to configure the {{futurex}} pkcs #11 library to serve as an interface for oracle tde to connect to a {{k3}} hsm wallet, based on https //docs oracle com/en/database/oracle/oracle database/19/asoag/configuring transparent data encryption html https //docs oracle com/en/database/oracle/oracle database/19/asoag/configuring transparent data encryption html to complete the integration, perform the following tasks configure the {{futurex}} pkcs #11 library in oracle configure the {{k3}} edit the {{futurex}} pkcs #11 configuration file generate a tde master encryption key on the {{k3}} open the wallet or hardware keystore the following sections show you how to perform these tasks