Oracle issues a virtual strongbox for enterprise encryption keys
Managing the keys of all your valuable resources, be they in the real world or the virtual, can be a hassle. Managing all the encryption keys for an entire enterprise is a harder challenge still.
A new Oracle appliance, called Oracle Key Vault, promises to simplify encrypting key management, by keeping copies of the thousands, or even hundreds of thousands, of keys an enterprise uses to protect its data and operations.
“Oracle Key Vault is about managing all these keys and credential files centrally,” explained Vipin Samar, Oracle vice president of the database security engineering. “The idea is centrally archive all of these keys, and to provide a way for the end points to access these keys very easily.”
The Oracle Key Vault is also aimed at organizations that have regulatory requirements for managing their keys in a highly systematic manner. How often are keys changed out? How often are they accessed? Who is accessing them? These are all questions the Oracle Key Vault is designed to answer, to the approval of the reviewing regulatory bodies.
Key Vault is only offered in appliance form. Oracle feels more comfortable controlling the entire server itself, rather than relying on the customer to correctly configure all the security settings, Samar said. The appliance is an x86 server running Oracle Linux and the Oracle database, with all of the Oracle Database security features—such as auditing, access control, and encryption—enabled.
“We can publish the best practices but consumers may or may or may not follow all of them,” Samar said. “We wanted to take charge of the security and make sure [the Vault] is really rock solid and stays rock solid.”
Update and bug fix patches for the appliance will be bundled and tested together, and issued every 90 days.
The vault can store keys for Secure Shell, Secure Sockets Layer (SSL), Kerberos keytabs, Oracle Wallet files, Java KeyStores, and other certificates. Oracle Key Vault manages the keys using the industry standard OASIS Key Management Interoperability Protocol (KMIP).
Oracle is not alone in offering vaults for storing encryption keys. SafeNet, WinMagic, Symantec also all offer centralized key management systems as well.
Key Vault can be plugged into other Oracle software products, such as Oracle Database, Oracle Fusion Middleware, Oracle Real Application Clusters, Oracle Active Data Guard and Oracle GoldenGate.
But the software can work with other non-Oracle products as well, and offers all the major features offered by other key management products, Samar said. “We can talk to any end-point that is out there that can talk KMIP,” Samar said.
Oracle will hold a webcast on Aug. 21 to explain how the vault works in greater detail.