We would like to encrypt data at rest in an oracle database column (in one specific database table only) using an encryption key held externally in a vault.
Does Oracle provide standard interfaces to make API calls ?
The encryption key should not persist in the database in any form.
I suppose it depends on how "external" you want the key to be
- Even in simplest form, the encryption key is stored outside the database in a wallet, so its not visible from the database (via SQL).
- We also have a key management product (
https://www.oracle.com/au/security/database-security/key-vault/ )
- We also have a cloud service (
https://www.oracle.com/au/security/cloud-security/key-management/faq/ )
the last of which also allow interfacing to external key management stores
So plenty of options there.
Having said that, in general, I've found tablespace encryption far easier to deal with instead of column level encryption. Perhaps consider moving your particular table into its own (encrypted) tablespace