IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Managing Encryption Keys for Oracle Transparent Data Encryption Using IBM Security Guardium Key Lifecycle Manager

By PRASHANT MESTRI posted Wed May 24, 2023 03:24 PM

  

This article is co- written by Prashant Mestri, Architect, IBM Security Guardium Key Lifecycle Manager Software and Walid Rjaibi IBM Distinguished Engineer & CTO  where they discuss using IBM Security Guardium Key Lifecycle Manager

Managing encryption keys for database native Transparent Data Encryption

Transparent Data Encryption (TDE) is a technology used to encrypt data at the database level, so that the data is protected from unauthorized access. With TDE, the database encrypts data automatically before it is stored on disk, and decrypts it when it is accessed by authorized users or applications.

TDE typically uses a symmetric encryption algorithm to encrypt data, and the encryption key is managed by the database itself. This means that the encryption key is stored securely and is not visible to users or applications. In addition, TDE can be used in conjunction with other security measures, such as access controls and auditing, to provide a comprehensive data protection solution.

Popular Database Management systems that support TDE

Transparent Data Encryption (TDE) is supported by several popular database management systems, as below:
1. IBM DB2: TDE is supported in IBM DB2 v10.5 and later versions.
2. Oracle Database: TDE has been a standard feature in Oracle Database since version 10g Release 2.
3. Microsoft SQL Server: TDE was first introduced by Microsoft as a feature in SQL Server 2008 Enterprise Edition, and it has been included in all subsequent versions of SQL Server.
4. PostgreSQL: TDE is not a built-in feature of PostgreSQL, but it can be implemented using third-party extensions.
5. MySQL: TDE is not a built-in feature of MySQL, but it can be implemented using third-party solutions.

Challenges with TDE implementation

All databases have their own implementation of TDE. Most databases interface with HSM i.e. Hardware Security Modules to manage the master encryption keys that are used with TDE. The challenges of using HSM for key management with TDE are as below:

- Cost: HSMs can be expensive to purchase, operate, and maintain.

·      - Complexity: HSMs can be complex to integrate requiring specialized expertise and knowledge to set up and configure.

·      - Scalability: HSMs may not scale easily to accommodate growing workloads, particularly if the organization has a significant increase in the volume of    cryptographic operations they need to perform.

·      - Vendor Lock-In: HSMs are often proprietary and specific to the vendor that sells them, which can limit the organization's ability to switch to a different vendor or technology in the future.

How Oracle TDE Works?

Oracle Transparent Data Encryption (TDE) is a database-level encryption technology that helps protect sensitive data stored in Oracle databases. TDE encrypts sensitive data such as credit card numbers, social security numbers, and other personal information to prevent unauthorized access to that data.

TDE encrypts data at rest, which means that it encrypts the data when it is stored on disk. The encryption is transparent to applications that use the database, hence the name "Transparent Data Encryption".

TDE uses Advanced Encryption Standard (AES) encryption algorithm to encrypt the data, which is considered to be one of the strongest encryption algorithms available. TDE can be used to encrypt a tablespace, or individual columns in a table.

With Oracle Transparent Data Encryption (TDE), the data encryption key (DEK) is encrypted with the TDE master encryption key (MEK) and stored in a secure location called the keystore.  Oracle supports two types of keystores: software keystore and hardware keystore. 


Figure 1. Oracle TDE with HSM

IBM Security Guardium Key Lifecycle Manager

IBM Security Guardium Key Lifecycle Manager (GKLM) serves keys at the time of use from a protected, centralized location that stores the key materials. This is made possible by its support of proprietary and internationally standardized protocols for serving symmetric and asymmetric keys. Supported protocols include Key Management Interoperability Protocol (KMIP), IBM Proprietary Protocol (IPP) and Representational State Transfer (REST) which allow IBM Security GKLM to manage encryption keys for both IBM and non-IBM solutions. The solution also supports key management functions for Oracle TDE databases via the PKCS#11 standard. For organizations that want centralized control and policy-driven key management, IBM Security GKLM offers consolidated management of keys across domains and integrates well into most existing security-team methodologies.

IBM Security Guardium Key Lifecycle Manager and Oracle TDE

IBM Security GKLM is an external security module that can be configured to be used with Oracle TDE as per PKCS#11 API specification.  IBM Security GKLM provides a PKCS#11 library that is to be copied to the system where Oracle is installed. The details of configuration can be found in [1].

Figure 2. Oracle TDE with GKLM

Benefits of using GKLM with Oracle TDE

The benefits of using IBM Security GKLM with Oracle TDE are the usual benefits of using software key management system over HSM. That includes:

·       - Cost – HSMs are more expensive than software key management system.

·       - Accessibility – Software can be accessed from anywhere over an internet connection.

·       - Maintenance – HSM maintenance is a complex and costly compared to software key management system.

·       - Scalability – HSM have limitations on the number of keys that can be stored whereas software key management system can be easily scaled as per requirements.

Conclusion

IBM Security® GKLM provides a simple solution to the complex problem of encryption key management. Encryption keys have their own lifecycles that are separate from the data that they protect. IBM Security GKLM helps you control key lifecycle processes from initialization and activation through rotation and deletion. The solution helps you simplify and automate manual tasks which can reduce operational costs. BM Security® GKLM is an enterprise solution for all encryption key needs, that can help to centralize, simplify and automate encryption key management.

References

[1] IBM Security® Guardium® Key Lifecycle Manager for Oracle TDE: https://www.ibm.com/docs/en/sgklm/4.2?topic=administering-using-security-guardium-key-lifecycle-manager-as-oracle-transparent-data-encryption-tde-external-security-module.

[2] IBM Security® Guardium® Key Lifecycle Manager Documentation: https://www.ibm.com/docs/en/sgklm/4.2

[3] IBM Security® Guardium® Key Lifecycle Manager Supported storage and non-storage devices: https://www.ibm.com/support/pages/ibm-security-guardium-key-lifecycle-manager-supported-storage-and-non-storage-devices

[4] IBM Security® Guardium® Key Lifecycle Manager how-to videos: https://www.securitylearningacademy.com/local/navigator/index.php?level=sklm001

1 comment
22 views

Permalink

https://community.ibm.com/community/user/blogs/prashant-mestri/2023/05/24/managing-encryption-keys-for-oracle-transparent-da

Comments

Sohail Hasan
Wed February 07, 2024 03:26 AM

any similar article for MSSQL TDE