If managing encryption keys and secrets across hybrid and multi-cloud environments seems complex, Oracle Key Vault 21.11 is here to simplify that challenge—with powerful new features that improve security, automate compliance, and reduce downtime.

Oracle Key Vault 21.11 makes it easier to manage keys and secrets for Oracle databases, GoldenGate, and Exadata deployments—regardless of where they run. New capabilities include:

  • Multicloud key management for Exadata Database Service (ExaDB-D)
  • Monitoring certificate expiration and compliance
  • Monitoring fleet-wide TDE master key rotation
  • Centralized database account password management for Oracle GoldenGate 
  • Zero-downtime client library upgrades for Oracle Database 23ai
  • Simplified key transport for database relocation across Key Vault clusters

This release update also includes full-stack patching to address security and stability issues in the embedded operating system, database, and Key Vault application.

Multicloud key management for Exadata Database Service (ExaDB-D)

Enterprises running Exadata Database Service across different cloud service providers may need full control over their Transparent Data Encryption (TDE) keys. You can now use Oracle Key Vault as the external key store for Exadata Database Service (ExaDB-D) in OCI, Azure, AWS, and Google Cloud. This extends Key Vault’s existing support for ADB-S, ADB-D, ADB-C@C and ExaDB-C@C databases. Using Key Vault with your Oracle Cloud Databases gives you unified control and auditability for encryption keys—no matter where your Exadata workloads live—enabling regulatory compliance and operational consistency. 

Learn more here.

Monitoring Certificate Expiry and Compliance

Expired or non-compliant certificates can expose your environment to avoidable risks. New certificate monitoring reports in Oracle Key Vault 21.11 highlight certificates expiring in 30, 60, or 90 days—and flag those that need attention quickly. Certificates may drift out of compliance, for example, when their lifetime exceeds a newly-defined shorter lifetime. With certificate monitoring, you can review such out-of-compliance certificates and take necessary action. You can also view the key sizes used for certificates to help verify they are policy compliant. 

Two pie chart displaying certificate key sizes and remaining lifetime
Figure 1: New certificate report displays certificate key sizes and remaining lifetime.

Monitoring TDE master key rotation across the fleet

Periodically rotating encryption keys is critical, but it can be hard to track across a large database fleet. OKV 21.11 introduces a new report that lists active TDE master keys along with their activation time, helping you identify databases that haven’t generated a new key recently and are in violation of rotation policies—for example, the INVENTORY database in the image below:
 

Table of TDE master encryption keys
Figure 2: Report identifying databases with aged TDE master keys.

Centralized database account password management for Oracle GoldenGate

Building on the earlier support for managing keys for encrypted GoldenGate trail files, Key Vault now centrally manages GoldenGate database passwords. This makes it easier to rotate passwords and prevent credential leakage.

Table displaying GoldenGate database account passwords.
Figure 3: Centralized view of database passwords used for GoldenGate accounts.

Zero-downtime client library upgrade for Oracle Database 23ai

Traditionally Key Vault PKCS#11 library upgrades on the endpoint databases require database restarts, leading to service interruptions. For example, on an Exadata machine, you would need to shut down all database instances running on the host to patch the PKCS#11 library. Key Vault 21.11 adds new endpoint provisioning capability that enables the Oracle Database 23ai to dynamically load an updated Key Vault PKCS#11 library—no restart required. You can apply upgrades on a per-database basis without taking systems offline, reducing operational friction.

Simplified key transport for database relocation across Key Vault clusters  (Preview feature)

Some customers implement independent Key Vault clusters where each cluster serves an independent set of databases. For example, you might have one cluster for testing and one for production. Moving databases across different Key Vault clusters currently involves time-consuming manual steps to securely move encryption keys and associated secrets. Key Vault 21.11 introduces a streamlined method to transfer TDE master keys between Key Vault clusters. You can now simplify dev/test workflows and reduce the risk of key-handling errors during such database migrations.

Vulnerability fixes

Compared to Key Vault 21.10, the latest release update, Key Vault 21.11, incorporates fixes for reported vulnerabilities in underlying components:

  • Eight CVEs addressed in the embedded Oracle Database from the two Critical Patch Updates, April 2025 and January 2025.
  • Sixty-two CVEs addressed for the underlying components including Oracle APEX, Oracle Rest Data Services (ORDS), Oracle Java SE, Oracle Autonomous Health Framework (AHF), and Oracle GoldenGate from the two Critical Patch Updates, April 2025 and January 2025.
  • CVE fixes for the embedded Oracle Linux 8.10 operating system.

Upgrade to Oracle Key Vault 21.11 today

Oracle strongly recommends that you upgrade existing deployments to Oracle Key Vault 21.11 for increased stability and security. Key Vault’s cluster architecture supports zero downtime for database targets during Key Vault cluster node upgrades.

For new installations, you can download Key Vault 21.11 from the Oracle Software Delivery Cloud. In addition, you can launch Key Vault 21.11 from the Oracle Cloud Marketplace in your OCI tenancy in minutes (watch “Click to Deploy”).

About Key Vault

Oracle Key Vault provides continuously available, fault-tolerant, and highly scalable, centralized key and secrets management for Oracle Database, MySQL, GoldenGate, ZFS Storage Appliance, ZDLRA, SSH, and custom applications. You can deploy Oracle Key Vault in Oracle Cloud Infrastructure (OCI), Microsoft Azure, Amazon AWS, Google Cloud, and on-premises on dedicated hardware or virtual machines.

Key Vault sets the standard for security, automation, scalability, and continuous availability with its software appliance form factor, fault-tolerant multi-master cluster architecture, hybrid deployment capability, and comprehensive RESTful APIs.

Oracle Key Vault 21, the third major release of Key Vault, simplifies the administration of keys and secrets for environments with many endpoints. It is the only purpose-built key management product designed to support the wide variety of Oracle Database deployment models, including Real Application Clusters (RAC), Data Guard, Globally Distributed (sharded) databases, Multitenant, and cloud databases.

For more information:

Visit the Key Vault product page at:  https://www.oracle.com/security/database-security/key-vault
Test drive Key Vault 21.11 in the Oracle Key Vault LiveLabs workshop.