Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> 10g Oracle Wallet vs Key Management
        
(Message started by: Pete Finnigan on Nov 23^rd, 2005, 12:21am)

Title: 10g Oracle Wallet vs Key Management
Post by Pete Finnigan on Nov 23^rd, 2005, 12:21am

Does anyone know if Oralce provides hooks into the Transparent Data Encryption (TDE) so that we can plug in our own key management using an HSM?

I note that the Advanced Security Guide enables a new wallet to be created using PKCS #11. However, it looks like it just uses PKCS #11 to copy the key into Oracle's static wallet file. Is there a way to have it use PKCS #11 to retrieve the key each time it needs it and so not store it anywhere locally?

More usefully, is it possible to have Oracle delegate all encryption to the HSM itself? Ie. Instead of using its own encryption algorithms it would send the plain text to the HSM, and then have the HSM return the encrypted data. In this way the key never leaves the HSM.

Thanks again,

Anthony