Protecting Your Encryption Keys: (OKV – Part 2 )
Intro
The Role of Oracle Key Vault in Securing Encryption Keys
One of the fundamental aspects of database security is effective key
management. A common yet risky practice is storing Transparent Data
Encryption (TDE) keys locally. This approach exposes organizations to data
loss due to disk corruption or system failures. Furthermore, manually
managing encryption keys across multiple Oracle and MySQL databases can be
complex and prone to errors, increasing security risks.
Oracle Key Vault (OKV) provides a centralized, secure repository for
managing encryption keys, certificates, and secrets. It plays a vital role
in enhancing security by:
-
Protecting Encryption Keys: OKV ensures that TDE keys
and other critical credentials are securely stored, mitigating risks
associated with local key storage. -
Automating Key Management: By streamlining key
distribution and rotation, OKV reduces operational overhead and human
error. -
Enhancing Compliance: Many regulatory frameworks
require robust encryption key management. OKV helps organizations meet
compliance standards by providing a secure and auditable key management
solution. -
Supporting Disaster Recovery: Backing up encryption
keys to an external, secure repository is crucial for disaster recovery.
OKV facilitates seamless recovery processes, ensuring business
continuity in case of system failures.
Strengthening Security Best Practices
To mitigate the risks associated with security breaches and ensure robust
protection of sensitive data, organizations should adopt the following best
practices:
-
Implement Centralized Key Management: Use Oracle Key
Vault or similar solutions to securely store and manage encryption keys. -
Enforce Strong Access Controls: Restrict access to
encryption keys and credentials based on the principle of least privilege. -
Regularly Rotate Keys and Passwords: Frequent key and
password rotation reduces the risk of prolonged exposure in the event of a
breach. -
Monitor for Anomalous Activity: Utilize security
monitoring tools to detect unauthorized access attempts and potential
threats. -
Backup Encryption Keys Securely: Store backups in an
encrypted, external repository to ensure data recovery in case of
corruption or loss.
Initial setup.
In the previous article, we set up the admin user to connect to Oracle Key
Vault (OKV). Now, use the admin account to log in to the OKV console.
If you need installation guidance, refer to:
Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security
Breach (OKV – Part 1).
For endpoint creation and registration, I refer to the links below. They provide
valuable insights and are highly useful for understanding the concept.
https://www.dbi-services.com/blog/add-oracle-database-server-to-oracle-key-vault-okv-from-scratch-only-with-restfull-api/
Figure 1:
Initial logging page
We need to create an endpoint in Oracle Key Vault (OKV). In this example, I
have created a database named
TWHSE01. Before proceeding,
I will first set up the following folder structure.
Note: wallet_root is a special folder where you keep all the OKV file
, best practices is to keep the OKV EP installation under wallet_root
folder.
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde - Location for TDE keys
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/okv - Location for OKV End point
mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde_seps - Location for External SSO Key
Create an OKV endpoint (EP)
Overview of EP
Endpoints are Oracle Key Vault clients that securely store and retrieve
security objects such as keys, passwords, certificates, and credential
files.
These endpoints can include Oracle database servers, Oracle middleware
servers, operating systems, and more. They use Oracle Key Vault for
long-term secret retention, secure sharing with trusted peers, and
on-demand retrieval.
Oracle Key Vault also provides a library that enables Transparent Data
Encryption (TDE) to communicate with it. While Oracle Enterprise Manager
can manage database server endpoints in Oracle Key Vault, it does not
support TDE integration with Key Vault.
Figure 2: Create OKV End endpoint
TWHSE01 database.
Figure 3:
Endpoint
Default wallet
Create a default wallet and click
Save. In this example, I
have created WL_TWHSE01.
Figure 4: Create default
wallet
Download EP
Before downloading, be sure to note the token key, as it is required
to download the endpoint software. Token key to mentioned in the
endpoint.
Figure 5:
Token
Log out of Oracle Key Vault, return to the main login window, and
click
Endpoint Enrollment and Software Download.
Figure 6:
Download EP software.
Enroll Endpoint & Download Software
page. Enter the token key and click
Enroll to download the
endpoint software.
Figure 7: Add a token to
download EP software.
Installed the Endpoint
This file is crucial. After installation, be sure to remove it from
the server. To simplify identification, name each endpoint software
after the corresponding database.
In this example, I copied the file to the
wallet_root/okv
folder and renamed it to
okvclient_TWHSE01.jar.
Note:
For security best practices, ensure you delete this file after
installation to prevent potential exploitation by hackers.
For endpoint installation, I am using
0KV2025! as the
endpoint and external OKV password. Since TDE is file-based, I will
use F1LE2025!.
-
Endpoint password:
0KV2025! -
TDE password:
F1LE2025!
Use the command below to install:
$ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v
Sample installation output
[oracle@crs01 wallet_root]$ $ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v
Detected JAVA_HOME: /u01/app/oracle/product/19.0.0/dbhome_1/jdk
Detected ORACLE_HOME: /u01/app/oracle/product/19.0.0/dbhome_1
Detected ORACLE_BASE: /u01/app/oracle
Using OKV_HOME: /u01/app/oracle/admin/TWHSE01/wallet_root/okv
Please set environment variables ORACLE_HOME, ORACLE_BASE, and OKV_HOME
consistently across processes.
Enter new Key Vault endpoint password ( for auto-login): 0KV2025!
Confirm new Key Vault endpoint password: 0KV2025!
The endpoint software for Oracle Key Vault installed successfully.
Deleted the file : /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar
[oracle@crs01 wallet_root]$
root.sh script. This script creates the directory tree/opt/oracle/extapi/64/hsm/oracle/1.0.0, sets the appropriate ownership and permissions, and copies the PKCS#11 library into the directory.The library PKCS#11 library liborapkcs.so is used by Oracle Database to communicate with OKV.
Sample root.sh Script execution output
[root@crs01 oracle]#/u01/app/oracle/admin/TWHSE01/wallet_root/okv/bin/root.sh
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Installation successful.
[root@crs01 oracle]#
Before the installation endpoint status was REGISTERED.
After Installation endpoint status changed to ENROLLED.
Environment Variables.
To complete the installation, we must properly set up all environment
variables. When migrating TDE to OKV, the environment variable should
be configured to identify the correct path.
Important variables are ORACLE_HOME, ORACLE_SID , OKV_HOME and
JAVA_HOME.
export ORACLE_BASE=/u01/app/oracle
export DB_HOME=$ORACLE_BASE/product/19.0.0/dbhome_1
export ORACLE_HOME=$DB_HOME
export ORACLE_SID=TWHSE01
export ORACLE_TERM=xterm
export OKV_HOME=/u01/app/oracle/admin/TWHSE01/wallet_root/okv
export JAVA_HOME=/u01/app/oracle/product/19.0.0/dbhome_1/jdk
Upload TDE keys to OKV
Now, let’s upload the TDE keys to the endpoint using the following
command to add them to the OKV wallet.
[oracle@crs01 bin]$ ./okvutil upload -h
Usage 1: okvutil upload -l location>-t type [-o] [-g group]
type := WALLET | JKS | JCEKS
Usage 2: okvutil upload -l location> -t type [-o] [-g group] [-d description]
type := SSH | KERBEROS | TDE_KEY_BYTES | OTHER
Usage 3: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-i SSH-private-key-id] [-d description]
type := SSH_PUBLIC_KEY
Usage 4: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-d description]
type := SSH_PRIVATE_KEY
Description:
Use the upload command to upload data to the server.
Options:
-l, --location -location-
Read information from -location-
For wallets, point to the directory containing the wallet.
For all other types, point to the file.
-t, --type -type-
Type of store.
type := WALLET | JKS | JCEKS | SSH | KERBEROS | TDE_KEY_BYTES | SSH_PUBLIC_KEY | SSH_PRIVATE_KEY | OTHER
-o, --overwrite
Overwrite any conflicting data on the server with the data to upload.
-g, --group -group-
Name of object group (Oracle Key Vault virtual wallet).
Note that group must exist and the endpoint must have sufficient access privileges.
-d, --description description
Add a free-form description. This option is only valid when the source file type is one that Oracle Key Vault stores as a single object (OTHER, KERBEROS, SSH, TDE_KEY_BYTES, SSH_PUBLIC_KEY).
-i, --item SSH-private-key-id
ID of the SSH private key linked to the SSH public key.
-U, --ssh-user SSH-user
SSH user who owns the SSH public or private key.
-L, --length length
Length (in bits) of the SSH public or private key to be uploaded.
Example:
* okvutil upload -l . -t wallet -g Group1
* okvutil upload -l foo.txt -t other -d description
* okvutil upload -l tde_key_bytes.txt -t tde_key_bytes -d master_key_for_db
* okvutil upload -l ./keystore.jks -t jks -g Group2
[oracle@crs01 bin]$
/u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde -g WL_SWHSE01 -v 4
Sample output :
[oracle@crs01 bin]$ pwd
/u01/app/oracle/admin/SWHSE01/okv/bin
[oracle@crs01 bin]$ /u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde -g WL_SWHSE01 -v 4
okvutil version 21.10.0.0.0
Endpoint type: Oracle Database
Configuration file: /u01/app/oracle/admin/SWHSE01/okv/conf/okvclient.ora
Server: 192.168.56.210:5696
Standby Servers:
Uploading from /u01/app/oracle/admin/SWHSE01/wallet/tde
Enter source wallet password:
No auto-login wallet found, password needed
Enter Oracle Key Vault endpoint password:
ORACLE.SECURITY.ID.ENCRYPTION.
Trying to connect to 192.168.56.210:5696 ...
Connected to 192.168.56.210:5696.
ORACLE.SECURITY.KB.ENCRYPTION.
Trying to connect to 192.168.56.210:5696 ...
Connected to 192.168.56.210:5696.
ORACLE.SECURITY.KM.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Uploaded 1 TDE keys
Uploaded 0 SEPS entries
Uploaded 0 other secrets
Uploaded 3 opaque objects
Uploading private key
Uploading certificate request
Uploading trust points
Uploaded 1 private keys
Uploaded 1 certificate requests
Uploaded 0 user certificates
Uploaded 0 trust points
Upload succeeded
[oracle@crs01 bin]$
Migrate TDE keys to OKV
Add a secret to allow use of “External Store”.
I will securely store the OKV password in the keystore as a secret,
allowing the use of the
EXTERNAL STORE option
instead of manually entering the password.
Next, I will create an external key in Oracle Key Vault (OKV) and
migrate the existing encryption keys to OKV. The keys will be stored
in the following directory:
/u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps';
Note: As mentioned in the previous post:
-
The keystore must be located in a subdirectory of WALLET_ROOT named
“tde_seps” to be recognized. - The “FOR CLIENT” entry must be ‘OKV_PASSWORD’ for proper detection.
-
The keystore must be set to AUTO_LOGIN to ensure it can be opened
and used automatically.
Enabling Auto Login for Oracle Key Vault (OKV) Keystore
To streamline access to the Oracle Key Vault (OKV) keystore, I will
store the OKV password as a secret within the keystore. This setup
enables AUTO_LOGIN,
eliminating the need for manual password entry when accessing the OKV
keystore.
The database can securely authenticate with OKV by configuring
auto-login, ensuring seamless key management while maintaining
strong encryption security.
Note: Before creating a new OKV SSO file, backup the current SSO
file.
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde';
The parameter “KEYSTORE_CONFIGURATION=OKV|FILE” means that the database will get the encryption key from OKV and the auto_login file cwallet.sso from local disk.
alter system set tde_configuration = "KEYSTORE_CONFIGURATION=OKV|FILE" scope=both sid='*';
Validate the wallet status
SQL> set lines 600
SQL> col WALLET for a20
col WALLET_LOCATION for a80
select WRL_TYPE wallet,status,WALLET_TYPE,wrl_parameter wallet_location,KEYSTORE_MODE from v$encryption_wallet;SQL> SQL> SQL>
WALLET STATUS WALLET_TYPE WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN UNKNOWN /u01/app/oracle/admin/SWHSE01/wallet/tde/ NONE
OKV CLOSED UNKNOWN NONE
FILE OPEN UNKNOWN UNITED
OKV CLOSED UNKNOWN UNITED
FILE OPEN UNKNOWN UNITED
OKV CLOSED UNKNOWN UNITED
6 rows selected.
SQL>
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2025!"; -- OKV file based password
WALLET STATUS WALLET_TYPE WALLET_ORDER WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE /u01/app/oracle/admin/TWHSE01/wallet_root/tde/ NONE
OKV OPEN_NO_MASTER_KEY OKV SINGLE
SQL>
Migrate the FILE local wallet to OKV
“Now, execute the key migration command. This command must complete successfully to ensure full integration with OKV.
SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "0KV2025!" MIGRATE USING "F1LE2025!" WITH BACKUP;
keystore altered.
Validate wallet status
SQL> @tde_status.sql
WALLET STATUS WALLET_TYPE WALLET_ORDER WALLET_LOCATION KEYSTORE
-------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- --------
FILE OPEN AUTOLOGIN SECONDARY /u01/app/oracle/admin/TWHSE01/wallet_root/tde/ NONE
OKV OPEN OKV PRIMARY NONE
SQL>
Conclusion
evolving threat landscape. While Oracle Cloud provides strong security
capabilities, organizations must take a proactive approach to encryption key
management and data protection. Implementing solutions like Oracle Key Vault
enhances security, streamlines compliance, and safeguards sensitive
information against potential breaches. By prioritizing robust key management
strategies, organizations can significantly reduce risks and ensure the
integrity of their cloud environments.