Thanks for the question, Olivier.
Asked: November 07, 2019 - 8:53 am UTC
Last updated: November 11, 2019 - 2:32 am UTC
Version: Various
Viewed 1000+ times
You Asked
Hi,
We want to encrypt some on-premise Oracle databases.
If possible, we would like to avoid to use a physical HSM or to contract with a third party HSM cloud provider.
Is this possible to store the KEK's in GCP or Azure, and to interface our local databases with it?
I don't need technical details yet, just information on the possibilities.
Thanks!
Olivier
and Connor said...
This is from the TDE FAQ hosted here:
https://www.oracle.com/database/technologies/faq-tde.html Can TDE store its master encryption key in an external device using the PKSC11 interface?
Starting in Oracle Database 11g Release 2, customers of Oracle Advanced Security Transparent Data Encryption (TDE) optionally may store the TDE master encryption key in an external device using the PKCS11 interface. In this setup, the master key is stored directly in the third-party device rather than in the included Oracle Wallet (note: the Oracle Wallet is a PKCS12 file-based keystore which is used by most TDE customers).
When using PKCS11, the third-party vendor provides the storage device, PKCS11 software client library, secure communication from the device to the PKCS11 client (running on the database server), authentication, auditing, and other related functionality. The vendor also is responsible for testing and ensuring high-availability of the TDE master encryption key in diverse database server environments and configurations. Customers should contact the device vendor to receive assistance for any related issues.So as long as your provider supports that, it should be possible.