Oracle Key Vault (OKV) centralizes key and secret management with enterprise-grade reliability and scalability for Oracle ecosystems and beyond. OKV is a software appliance that deploys as a fault-tolerant, multi-master cluster and can span across on-premises environments and any cloud. REST APIs enable automated key management for Oracle databases at scale.


Since the initial release of OKV 21, we’ve added significant capabilities that expand its use cases and strengthen your security posture. This blog walks through these new features and what they mean for your organization. 

Highlights from OKV 21.1 through 21.12 

  1. Multi-cloud clustering: Deploy OKV across OCI, Azure, AWS, Google Cloud, and on-premises. 
  2. Cloud database auto-enrollment: Auto-enroll databases across OCI and Cloud@Customer.
  3. TDE master key visibility: Identify databases that are overdue for key rotation. 
  4. Centralized SSH key governance: Securely store non-extractable private SSH keys for users in OKV and centrally manage, audit, and control access to SSH servers.
  5. Certificate policy: Monitor public-key algorithms, key lengths, and expiration dates for compliance. 
  6. Single Sign-On: Microsoft Entra ID and Active Directory Federation Services (AD FS) support.
  7. OKV cluster monitoring: Monitor OKV availability, incidents, key trends, and disk capacity with OEM 24ai.
  8. Integration accelerators: Pre-configured integration for encryption (DBMS_CRYPTO) and GoldenGate password management. 

 
These eight features represent a significant evolution in OKV’s capabilities, addressing critical gaps in multi-cloud key management, compliance monitoring, and operational efficiency. In the sections that follow, we’ll dive into each capability—explaining how it works, what problems it solves, and why it matters to your organization’s security posture.


1.    Multi-cloud clustering
OKV clusters can span OCI, Azure, AWS, Google Cloud, and on-premises data centers, adjacent to your databases. Keys and secrets synchronize across all environments from a single console. 
Why it matters: Unified governance and auditing across all environments—no silos. When migrating workloads between clouds, keys remain managed in one place, so customers don’t have to touch or move them.

2.    Cloud database auto-enrollment
You can register your OKV cluster (on-prem, in OCI, or any other cloud) as a “key management resource” in the OCI control system. This allows new database cloud services—such as ExaDB-D and ADB-D across OCI, Azure, AWS, Google Cloud, and Cloud@Customer—to automatically use encryption keys stored in your OKV cluster, enabling you to “Hold Your Own Key” (HYOK).
Why it matters: Encryption keys are governed from day one—no tickets, no handoffs, no migration.

3.    TDE master key visibility 
TDE key-status reports flag databases overdue or approaching key rotation thresholds, per NIST SP 800-57 Part 1 Rev. 5 guidelines.
Why it matters: Proactive TDE key rotation monitoring ensures compliance and helps prevents data breaches from compromised keys. Manual tracking across large database fleets is impractical.

4.    Centralized SSH key governance
SSH key sprawl creates compliance and security challenges with user private keys scattered across endpoints. OKV allows you to upload or generate private keys. Users no longer have custody of private keys.
Orphaned public keys on remote servers pose another risk. OKV enables remote server access control by centralizing SSH public keys. Administrators gain visibility into private key use and can centralize server access management. 
Why it matters: As users no longer have custody of private keys, they do not have to manage or secure them. Instead, an OKV administrator grants or revokes access rights to a non-extractable private key in OKV. Stolen laptops, compromised OS images, or ex-employees can’t expose credentials or enable lateral movement.

5.    Certificate policy
OKV monitors certificate algorithms and key lengths. It raises alarms when certificate lifetimes are nearing expiration or when certificates violate policies. C/Java SDKs can help automate registration, compliance checks, and expiration monitoring. 
Why it matters: Proactively identify certificates requiring rotation and spot non-compliant certificates with weak algorithms or insufficient key lengths.

6.    Single Sign-On Integration 
Many customers rely on centralized identity management to manage both their internal and external users. OKV integrates into these environments, ensuring that all OKV administrators and users are centrally managed using those identity providers. 
Why it matters: No need for local OKV accounts, as everything is governed by Active Directory Federation Services (AD FS) or Microsoft Entra ID.
 
7.    Cluster Monitoring
With OEM 24ai integration added in OKV 21.10, you can monitor OKV node availability, incidents, key trends, remaining free space in disk, and fast recovery area in a unified dashboard. 
Why it matters: Native OEM support integrates OKV monitoring into existing enterprise management workflows with alerts and drilldowns.

8.    Integration Accelerators 
Key Vault offers downloadable integration accelerators to speed up deployment in common scenarios: 

  • DBMS_CRYPTO key management: This helps database applications using the DBMS_CRYPTO package to manage their keys in OKV.
  • Oracle GoldenGate password management: This helps GoldenGate retrieve credentials from OKV at runtime (no hardcoding).

Why it matters: Faster time-to-value with pre-built integration templates instead of custom glue. 

Supported targets include: 


Databases: Oracle, MySQL.
Database deployment modes: Data Guard (per PDB), RAC, multi-tenant, globally distributed (sharded) databases. 
Database deployment types: Exadata, ExaDB-C@C, ADB-C@C, ExaDB-D, ADB-S, Database Appliance (ODA), conventional hardware, and as VM guests.
Secure Data Replication: Oracle GoldenGate. 
Storage and recovery: ZFS Storage Appliance, ZDLRA.
Server access with SSH: Private key governance and remote server access controls.
Custom applications: Leverage OKV’s C and Java SDKs for keys and secrets management for any application. 
Key Vault platforms: Virtual machine, conventional hardware, Database Appliance (ODA), and Compute Cloud@Customer to provide keys and secrets management.


Next Steps: 

Upgrading to OKV 21.12 isn’t just about new capabilities—each release includes critical security patches, customer-reported bug fixes, and performance improvements that strengthen your overall security posture. Because OKV’s multi-master architecture supports zero-downtime upgrades, you can stay current without disrupting production workloads.


Download OKV 21.12 for fresh installations.
Download the OKV 21.12 upgrade patch 38316671.


Try it yourself: 


Free LiveLab: TDE Key Management with Oracle Key Vault 
Free LiveLab: SSH Key Management with Oracle Key Vault