Configuring Oracle TDE with HSM
Configuration Steps
- Configure SQLNET.ORA to Use HSM for Key Management Update the sqlnet.ora file to specify the HSM as the key management device by setting the ENCRYPTION_WALLET_LOCATION parameter:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM))
This configuration directs Oracle to utilize the HSM for all key management operations.
- Open the HSM Keystore To access the keys stored in the HSM, execute the following SQL command:
ALTER SYSTEM SET KEYSTORE OPEN IDENTIFIED BY 'hsm_user';
- Generate the Master Encryption Key in the HSM Create a new Master Encryption Key directly in the HSM with:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY 'hsm_user';
- Verify the HSM Key is Loaded Check the status of the loaded keys in the HSM by querying:
SELECT * FROM V$ENCRYPTION_WALLET;
Expected Output:
STATUS WALLET_TYPE WALLET_OPEN_TIME
---------------- ----------- ----------------
OPEN HSM 27-FEB-2025 10:15:00
- Restart the Database for Changes to Take Effect
shutdown immediate;
startup;
Key Differences in Configuration with and without HSM
Configure Wallet Location:
- Without HSM (Software Wallet): Set the wallet path in sqlnet.ora to cwallet.sso.
- With HSM (External KMS / PKCS#11): Configure sqlnet.ora to use METHOD=HSM.
Open the Wallet:
- Without HSM:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password";
- With HSM:
ALTER SYSTEM SET KEYSTORE OPEN IDENTIFIED BY 'hsm_user';
Generate Master Key:
- Without HSM:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
- With HSM:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY 'hsm_user';
Auto-login Setup:
- Without HSM: The software wallet automatically creates cwallet.sso for auto-login.
- With HSM: The HSM automatically handles key loading without the need for manual login.
Note
Ensure that the HSM user (or token PIN) is created and properly permissioned before proceeding with the TDE configuration in Oracle. This setup is crucial for successful integration and operation of TDE with an HSM.
Updated 5 days ago