Skip to Main Content
  • Questions
  • Fetching encryption key from an external storage

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, BIMAL.

Asked: January 07, 2025 - 12:48 pm UTC

Last updated: January 14, 2025 - 4:14 am UTC

Version: N.A

Viewed 100+ times

You Asked

We would like to encrypt data at rest in an oracle database column (in one specific database table only) using an encryption key held externally in a vault.
Does Oracle provide standard interfaces to make API calls ?
The encryption key should not persist in the database in any form.

and Connor said...

I suppose it depends on how "external" you want the key to be

- Even in simplest form, the encryption key is stored outside the database in a wallet, so its not visible from the database (via SQL).
- We also have a key management product ( https://www.oracle.com/au/security/database-security/key-vault/ )
- We also have a cloud service ( https://www.oracle.com/au/security/cloud-security/key-management/faq/ )

the last of which also allow interfacing to external key management stores

So plenty of options there.

Having said that, in general, I've found tablespace encryption far easier to deal with instead of column level encryption. Perhaps consider moving your particular table into its own (encrypted) tablespace