Using Fortanix Data Security Manager with Oracle TDE - Introduction

1.0 Introduction

This article describes the TDE process, key hierarchy, prerequisites, and steps to configure Fortanix-Data-Security-Manager (DSM) for Transparent Data Encryption (TDE).

2.0 Terminology References

  • Fortanix Data Security Manager
    Fortanix DSM is the cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

  • TDE – Transparent Data Encryption
    Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces. Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore. For more information, see Introduction to Transparent Data Encryption.

3.0 TDE Key Hierarchy

TDEKeyHierarchy.png

Figure 1: TDE key Hierarchy

TDE encryption uses a two-tiered, key-based architecture to transparently encrypt and decrypt data. The TDE master encryption key (KEK) is stored in a security module (such as an Oracle wallet or Hardware Security Module (HSM) such as Fortanix DSM). This TDE master encryption key is used to encrypt the TDE table or tablespace encryption key (DEK), which in turn is used to encrypt and decrypt data in the database files.

Fortanix DSM separates ordinary program functions from encryption operations, making it possible to assign separate, distinct duties to database administrators and security administrators. Security is enhanced because the keystore password can be unknown to the database administrator, requiring the security administrator to provide the password.

4.0 Prerequisites

  • Oracle Database must be on Fortanix DSM-supported versions. Currently, the supported database versions are: 11g R2, 12c, 18c, 19c, 21c, and 23ai. For Oracle 11g, make sure Oracle Database patch 18948524 is applied. This patch enables the Auto-login mode of the HSM wallet.

  • Download the latest Fortanix PKCS#11 library from here. Copy it to the database server.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 2: Logging In

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click thebutton on the Groups page to add a new group.

    Figure 3: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the button on the Apps page to add a new app.

    Figure 4: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click the VIEW API KEY DETAILS button.

  3. From the API Key Details dialog box, copy the API Key of the app to be used later.

6.0 Verify Connectivity

  1. Validate the connectivity from the database node(s) to the Fortanix DSM endpoint.

    curl -v https://DSM_ENDPOINT

    You must receive a 200 status code.

6.1 Known Connectivity Issues

  • Port 443 is blocked between the database server and Fortanix DSM.

  • The root CA certificate used to sign the Fortanix DSM Cluster certificate is not present in the database server trust store.

7.0 References

For steps to integrate Fortanix DSM with Oracle TDE, refer to Using Fortanix DSM with Oracle TDE guide.