Using software protected encryption keys with Autonomous Database

  • March 17, 2021
  • Posted by: Konstantin Gork
  • Category: Databases
No Comments

 

In addition to the HSM protected keys explained in my earlier blog on customer controlled encryption keys, the Autonomous database service on dedicated infrastructure now supports software protected keys. Software keys function exactly like their HSM counterparts, excepts they are stored in a software filesystem instead of an HSM device.  Software keys are encrypted at rest using an HSM based root key so while you could argue they are less secure than keys you store directly in your private HSM vault, they do offer a cost-effective way to store your MEKs in a protected key management service off the database host. Yes…cost effective as in they are free.

Additionally, software protected keys can be exported to other key management devices. So if you plan to move an autonomous database from a public cloud region to say, a cloud@customer and would like to move the MEKs  over to your on-premises Oracle Key Vault, then using software keys while in public cloud is a better option.

The method to deploy and use software based MEKs is the same as HSM and has been explained earlier in my blog along with a step by step video tutorial. Simply pick ‘Software’ in the protection mode dropdown when you provision a key in the Vault service in OCI.

 

Rest of the process to associate this key with your Autonomous Container Database deployment is the same as HSM keys. The ADB deployment UX does not change either.

Software protected keys can be rotated periodically through the UI / REST APIs just like HSM based keys. Cloning autonomous databases using software MEKs works the same as well. You simply clone as usual and then rotate the keys on the clone so it has its own unique key. 

My colleague Fredrick Bosco has explained software protected encryption keys and their usage for other OCI service is great detail in his blog here

If you haven’t tried using an Autonomous database yet, here’s an easy way to take it for a spin with a free Oracle Cloud Account. You can also keep your account and your database for as long as you like.

If you are thinking ‘Why go Autonomous?’ then Robert Greene’s blog here may help solve that puzzle and here’s another one where he summarizes everything we build last year to make it an exceptional database service.