Using Hardware Security Module (HSM) for Oracle Transparent Data Encryption (TDE)

SCA-6000 PCIe Card

Hardware Security Module (HSM) plays a critical role in securing the storage of private keys and accelerating compute-intensive cryptographic processes associated with public-key encryption, symmetric-key(secret-key) encryption and digital signature applications. Using HSM in Oracle Transparent Data Encryption applications will ensure that the Key material stored on the card is protected and not exportable (never leaves the card) and all associated cryptographic operations are performed on the card. Using HSM in payment card transactions is critical and it is mandatory for compliance with Payment Card Industry – Data Security Standard (PCI-DSS), Payment Application – Data Security Standard (PA-DSS) and Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements and several government security standards.

Oracle Transparent Data Encryption

Oracle Transparent Data Encryption (TDE) was first introduced in Oracle Database 10gR2 as part of the Oracle Advanced Security option. TDE performs encryption and decryption of application table columns or entire application tablespaces. TDE uses standard algorithms and facilitates a built-in key management services for supporting data encryption. Since Oracle Database 11gR1, TDE supports HSMs using PKCS#11 interface to support providing centralized key management and to secure TDE’s master encryption key.

Sun Cryptographic Accelerator 6000 (SCA-6000)

The Sun Crypto Accelerator 6000 is a PCI-E card that combines a cryptographic accelerator for Secure Sockets Layer (SSL) and IPSec sessions and also it can act as a local HSM for performing secure key management functions. Qualified as a FIPS 140-2 Level 3 compliant device, the SCA-6000 PCI-E card is designed to prevent the disclosure or corruption of cryptographic keys, results, or other sensitive data. SCA-600o supports both Solaris and Linux environments.

The SCA-6000 is made available as an option in Oracle Key Manager Appliance.

Applied Scenarios

    • HSM based Secure key store and Master Key Management for supporting encryption and decryption of keys performing actual data encryption:
    • Encryption/decryption of tablespace keys and table keys
    • Encryption/decryption support for Oracle Data Pump utility
    • Encryption/decryption support for Oracle Recovery Manager (RMAN)
    • Master key backup and recovery
    • FIPS-140-2 Level 3 compliance
    • Acceleration of Network encryption –  SSL/TLS communication between the Oracle client and server.
    • Offloading computationally intensive cryptographic operations to the accelerator

The Role of SCA-6000 as a HSM for Oracle TDE

If you are curious to know the configuration details and ready to test-drive the solution using Sun Crypto Accelerator 6000 (SCA-6000) PCIe card for Oracle TDE – Please download and read the following whitepaper (available from Sun Wiki).

The SCA-6000 is made available as an option in Oracle Key Manager Appliance.

Leave a Reply

Your email address will not be published. Required fields are marked *