Posted in Trending

Protecting Your Encryption Keys: (OKV – Part 2 )

   Published Date: June 2, 2025  Leave a Comment on Protecting Your Encryption Keys: (OKV – Part 2 )

 

Intro 

The Role of Oracle Key Vault in Securing Encryption Keys

One of the fundamental aspects of database security is effective key management. A common yet risky practice is storing Transparent Data Encryption (TDE) keys locally. This approach exposes organizations to data loss due to disk corruption or system failures. Furthermore, manually managing encryption keys across multiple Oracle and MySQL databases can be complex and prone to errors, increasing security risks.

Oracle Key Vault (OKV) provides a centralized, secure repository for managing encryption keys, certificates, and secrets. It plays a vital role in enhancing security by:

  • Protecting Encryption Keys: OKV ensures that TDE keys and other critical credentials are securely stored, mitigating risks associated with local key storage.

  • Automating Key Management: By streamlining key distribution and rotation, OKV reduces operational overhead and human error.

  • Enhancing Compliance: Many regulatory frameworks require robust encryption key management. OKV helps organizations meet compliance standards by providing a secure and auditable key management solution.

  • Supporting Disaster Recovery: Backing up encryption keys to an external, secure repository is crucial for disaster recovery. OKV facilitates seamless recovery processes, ensuring business continuity in case of system failures.

Strengthening Security Best Practices

To mitigate the risks associated with security breaches and ensure robust protection of sensitive data, organizations should adopt the following best practices:

  1. Implement Centralized Key Management: Use Oracle Key Vault or similar solutions to securely store and manage encryption keys.

  2. Enforce Strong Access Controls: Restrict access to encryption keys and credentials based on the principle of least privilege.

  3. Regularly Rotate Keys and Passwords: Frequent key and password rotation reduces the risk of prolonged exposure in the event of a breach.

  4. Monitor for Anomalous Activity: Utilize security monitoring tools to detect unauthorized access attempts and potential threats.

  5. Backup Encryption Keys Securely: Store backups in an encrypted, external repository to ensure data recovery in case of corruption or loss.

Initial setup.

In the previous article, we set up the admin user to connect to Oracle Key Vault (OKV). Now, use the admin account to log in to the OKV console.

If you need installation guidance, refer to: Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security Breach (OKV – Part 1).


For endpoint creation and registration, I refer to the links below. They provide valuable insights and are highly useful for understanding the concept.

– Installation
– DataSheet
– Setup Oracle Key Vault 21.9 in Guest VM

                                                             Figure 1: Initial logging page

We need to create an endpoint in Oracle Key Vault (OKV). In this example, I have created a database named TWHSE01. Before proceeding, I will first set up the following folder structure.

Note: wallet_root is a special folder where you keep all the OKV file , best practices is to keep the OKV EP installation under wallet_root folder.  

 mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde - Location for TDE keys mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/okv - Location for OKV End point mkdir -p /u01/app/oracle/admin/TCDB/wallet_root/tde_seps - Location for External SSO Key

Create an OKV endpoint (EP) 

Overview of EP 

Endpoints are Oracle Key Vault clients that securely store and retrieve security objects such as keys, passwords, certificates, and credential files.

These endpoints can include Oracle database servers, Oracle middleware servers, operating systems, and more. They use Oracle Key Vault for long-term secret retention, secure sharing with trusted peers, and on-demand retrieval.

Oracle Key Vault also provides a library that enables Transparent Data Encryption (TDE) to communicate with it. While Oracle Enterprise Manager can manage database server endpoints in Oracle Key Vault, it does not support TDE integration with Key Vault.

 

Figure 2: Create OKV End endpoint 

This step follows the creation of the endpoint for the TWHSE01 database.

                                                       Figure 3: Endpoint 

Default wallet

Create a default wallet and click Save. In this example, I have created WL_TWHSE01.

                                                   Figure 4: Create default wallet

Download EP 

Before downloading, be sure to note the token key, as it is required to download the endpoint software. Token key to mentioned in the endpoint.

                                                                

                                                        Figure 5: Token 

                                       

Log out of Oracle Key Vault, return to the main login window, and click Endpoint Enrollment and Software Download.

                                                      Figure 6: Download EP software.

 
After logging in, you will be redirected to the Enroll Endpoint & Download Software page. Enter the token key and click Enroll to download the endpoint software.

                                                  Figure 7: Add a token to download EP software.                                      

                                                           

Installed the Endpoint 

This file is crucial. After installation, be sure to remove it from the server. To simplify identification, name each endpoint software after the corresponding database.

In this example, I copied the file to the wallet_root/okv folder and renamed it to okvclient_TWHSE01.jar.

Note: For security best practices, ensure you delete this file after installation to prevent potential exploitation by hackers.

For endpoint installation, I am using 0KV2025! as the endpoint and external OKV password. Since TDE is file-based, I will use F1LE2025!.

  • Endpoint password: 0KV2025!

  • TDE password: F1LE2025!

Use the command below to install:

 $  ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v

Sample installation output

         [oracle@crs01 wallet_root]$   $  ORACLE_HOME/jdk/bin/java -jar /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar -d /u01/app/oracle/admin/TWHSE01/wallet_root/okv -v Detected JAVA_HOME: /u01/app/oracle/product/19.0.0/dbhome_1/jdk Detected ORACLE_HOME: /u01/app/oracle/product/19.0.0/dbhome_1 Detected ORACLE_BASE: /u01/app/oracle Using OKV_HOME: /u01/app/oracle/admin/TWHSE01/wallet_root/okv Please set environment variables ORACLE_HOME, ORACLE_BASE, and OKV_HOME consistently across processes. Enter new Key Vault endpoint password ( for auto-login): 0KV2025! Confirm new Key Vault endpoint password: 0KV2025! The endpoint software for Oracle Key Vault installed successfully. Deleted the file : /u01/app/oracle/admin/TWHSE01/wallet_root/okv/okvclient_TWHSE01.jar [oracle@crs01 wallet_root]$
After the extract process is complete, run the root.sh script. This script creates the directory tree/opt/oracle/extapi/64/hsm/oracle/1.0.0, sets the appropriate ownership and permissions, and copies the PKCS#11 library into the directory.

The library PKCS#11 library liborapkcs.so is used by Oracle Database to communicate with OKV.

Sample root.sh Script execution output 

          [root@crs01 oracle]#/u01/app/oracle/admin/TWHSE01/wallet_root/okv/bin/root.sh Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/ Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/ Setting PKCS library file permissions Installation successful. [root@crs01 oracle]#

Before the installation endpoint status was REGISTERED.

After Installation endpoint status changed to ENROLLED.

Environment Variables.

To complete the installation, we must properly set up all environment variables. When migrating TDE to OKV, the environment variable should be configured to identify the correct path.

Important variables are ORACLE_HOME, ORACLE_SID , OKV_HOME and JAVA_HOME. 

          export ORACLE_BASE=/u01/app/oracle export DB_HOME=$  ORACLE_BASE/product/19.0.0/dbhome_1 export ORACLE_HOME=$  DB_HOME export ORACLE_SID=TWHSE01 export ORACLE_TERM=xterm export OKV_HOME=/u01/app/oracle/admin/TWHSE01/wallet_root/okv export JAVA_HOME=/u01/app/oracle/product/19.0.0/dbhome_1/jdk

Upload TDE keys to OKV

Now, let’s upload the TDE keys to the endpoint using the following command to add them to the OKV wallet. 

          [oracle@crs01 bin]$   ./okvutil upload -h Usage 1: okvutil upload -l location>-t type [-o] [-g group]   type := WALLET | JKS | JCEKS Usage 2: okvutil upload -l location> -t type [-o] [-g group] [-d description]   type := SSH | KERBEROS | TDE_KEY_BYTES | OTHER Usage 3: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-i SSH-private-key-id] [-d description]   type := SSH_PUBLIC_KEY Usage 4: okvutil upload -l location -t type -U SSH-user -L length [-g group] [-d description]   type := SSH_PRIVATE_KEY Description:   Use the upload command to upload data to the server. Options:   -l, --location -location-         Read information from -location-         For wallets, point to the directory containing the wallet.         For all other types, point to the file.   -t, --type -type-         Type of store.         type := WALLET | JKS | JCEKS | SSH | KERBEROS | TDE_KEY_BYTES | SSH_PUBLIC_KEY | SSH_PRIVATE_KEY | OTHER   -o, --overwrite         Overwrite any conflicting data on the server with the data to upload.   -g, --group -group-         Name of object group (Oracle Key Vault virtual wallet).         Note that group must exist and the endpoint must have sufficient access privileges.   -d, --description description         Add a free-form description. This option is only valid when the source file type is one that Oracle Key Vault stores as a single object (OTHER, KERBEROS, SSH, TDE_KEY_BYTES, SSH_PUBLIC_KEY).   -i, --item SSH-private-key-id         ID of the SSH private key linked to the SSH public key.   -U, --ssh-user SSH-user         SSH user who owns the SSH public or private key.   -L, --length length         Length (in bits) of the SSH public or private key to be uploaded. Example:   * okvutil upload -l . -t wallet -g Group1   * okvutil upload -l foo.txt -t other -d description   * okvutil upload -l tde_key_bytes.txt -t tde_key_bytes -d master_key_for_db   * okvutil upload -l ./keystore.jks -t jks -g Group2 [oracle@crs01 bin]$
This is the way you can upload the TDE keys to the OKV wallet: 
         /u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde -g WL_SWHSE01 -v 4

Sample output :

         [oracle@crs01 bin]$   pwd /u01/app/oracle/admin/SWHSE01/okv/bin [oracle@crs01 bin]$   /u01/app/oracle/admin/SWHSE01/okv/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/SWHSE01/wallet/tde  -g WL_SWHSE01 -v 4 okvutil version 21.10.0.0.0 Endpoint type: Oracle Database Configuration file: /u01/app/oracle/admin/SWHSE01/okv/conf/okvclient.ora Server: 192.168.56.210:5696 Standby Servers: Uploading from /u01/app/oracle/admin/SWHSE01/wallet/tde Enter source wallet password: No auto-login wallet found, password needed Enter Oracle Key Vault endpoint password: ORACLE.SECURITY.ID.ENCRYPTION. Trying to connect to 192.168.56.210:5696 ... Connected to 192.168.56.210:5696. ORACLE.SECURITY.KB.ENCRYPTION. Trying to connect to 192.168.56.210:5696 ... Connected to 192.168.56.210:5696. ORACLE.SECURITY.KM.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AUjX3D9pzU9xv0601AarqbMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY  Uploaded 1 TDE keys Uploaded 0 SEPS entries Uploaded 0 other secrets Uploaded 3 opaque objects  Uploading private key Uploading certificate request Uploading trust points  Uploaded 1 private keys Uploaded 1 certificate requests Uploaded 0 user certificates Uploaded 0 trust points  Upload succeeded [oracle@crs01 bin]$

Migrate TDE keys to OKV

Add a secret to allow use of “External Store”.

I will securely store the OKV password in the keystore as a secret, allowing the use of the EXTERNAL STORE option instead of manually entering the password.

Next, I will create an external key in Oracle Key Vault (OKV) and migrate the existing encryption keys to OKV. The keys will be stored in the following directory: /u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps 

 ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde_seps';

Note: As mentioned in the previous post:

  • The keystore must be located in a subdirectory of WALLET_ROOT named “tde_seps” to be recognized.
  • The “FOR CLIENT” entry must be ‘OKV_PASSWORD’ for proper detection.
  • The keystore must be set to AUTO_LOGIN to ensure it can be opened and used automatically.

Enabling Auto Login for Oracle Key Vault (OKV) Keystore

To streamline access to the Oracle Key Vault (OKV) keystore, I will store the OKV password as a secret within the keystore. This setup enables AUTO_LOGIN, eliminating the need for manual password entry when accessing the OKV keystore.

The database can securely authenticate with OKV by configuring auto-login, ensuring seamless key management while maintaining strong encryption security.

Note: Before creating a new OKV SSO file, backup the current SSO file. 

ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2025!' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/u01/app/oracle/admin/TWHSE01/wallet_root/tde';

The parameter “KEYSTORE_CONFIGURATION=OKV|FILE” means that the database will get the encryption key from OKV and the auto_login file cwallet.sso from local disk.

     alter system set tde_configuration = "KEYSTORE_CONFIGURATION=OKV|FILE" scope=both sid='*';

Validate the wallet status

 SQL> set lines 600 SQL> col WALLET for a20 col WALLET_LOCATION for a80  select WRL_TYPE wallet,status,WALLET_TYPE,wrl_parameter wallet_location,KEYSTORE_MODE from v$  encryption_wallet;SQL> SQL> SQL>  WALLET               STATUS                         WALLET_TYPE          WALLET_LOCATION                                                                  KEYSTORE -------------------- ------------------------------ -------------------- -------------------------------------------------------------------------------- -------- FILE                 OPEN                           UNKNOWN              /u01/app/oracle/admin/SWHSE01/wallet/tde/                                        NONE OKV                  CLOSED                         UNKNOWN                                                                                               NONE FILE                 OPEN                           UNKNOWN                                                                                               UNITED OKV                  CLOSED                         UNKNOWN                                                                                               UNITED FILE                 OPEN                           UNKNOWN                                                                                               UNITED OKV                  CLOSED                         UNKNOWN                                                                                               UNITED  6 rows selected.  SQL>
Before migrating keys, ensure the wallet is open. To open the wallet using OKV, you must first close the file-based auto-login wallet.
     ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;     ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2025!"; -- OKV file based password
After this you can validate the wallet status , OKV should be “OPEN_NO_MASTER_KEY” and FILE bases wallet should be “OPEN_NO_MASTER_KEY”.
TDE status after TDE_CONFIGURATION change:
      WALLET               STATUS                         WALLET_TYPE          WALLET_ORDER         WALLET_LOCATION                                                                  KEYSTORE -------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- -------- FILE                 OPEN_NO_MASTER_KEY             AUTOLOGIN            SINGLE               /u01/app/oracle/admin/TWHSE01/wallet_root/tde/                                   NONE OKV                  OPEN_NO_MASTER_KEY             OKV                  SINGLE      SQL>

Migrate the FILE local wallet to OKV

“Now, execute the key migration command. This command must complete successfully to ensure full integration with OKV.

      SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "0KV2025!" MIGRATE USING "F1LE2025!"  WITH BACKUP; keystore altered.

Validate wallet status

Once the TDE key migration is complete, the status should display OKV as the primary keystore and File as the secondary.
      SQL> @tde_status.sql  WALLET               STATUS                         WALLET_TYPE          WALLET_ORDER         WALLET_LOCATION                                                                  KEYSTORE -------------------- ------------------------------ -------------------- -------------------- -------------------------------------------------------------------------------- -------- FILE                 OPEN                           AUTOLOGIN            SECONDARY            /u01/app/oracle/admin/TWHSE01/wallet_root/tde/                                   NONE OKV                  OPEN                           OKV                  PRIMARY                                                                                               NONE  SQL>

Conclusion

The recent Oracle Cloud security incident serves as a stark reminder of the evolving threat landscape. While Oracle Cloud provides strong security capabilities, organizations must take a proactive approach to encryption key management and data protection. Implementing solutions like Oracle Key Vault enhances security, streamlines compliance, and safeguards sensitive information against potential breaches. By prioritizing robust key management strategies, organizations can significantly reduce risks and ensure the integrity of their cloud environments.

Chanaka-dbhelp

Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *