We are excited to announce the integration of AWS Key Management Service (KMS) with Exadata Database Service on Dedicated Infrastructure on Oracle Database@AWS.  AWS KMS integration adds to Oracle’s key management options: Oracle Wallet, OCI Vault, and Oracle Key Vault. Customers can choose the key management solution that fits their security, operational, and compliance needs.

With this integration, customers can now centrally store and manage their Transparent Data Encryption (TDE) master encryption keys using AWS KMS, providing a unified key management solution for both applications and Oracle Databases. Support for AWS KMS customer managed keys – whether stored in standard key store or CloudHSM – offers customers the choice and flexibility to meet their security and compliance requirements while benefiting from seamless interoperability between AWS KMS and Oracle Exadata Database Service. Find more information about AWS KMS standard and CloudHSM (custom) key store at AWS documentation.

Key Benefits

  • Unified Key Management: Manage encryption keys for Oracle Databases and AWS-hosted applications with the same AWS KMS interface and policies. This simplifies operations and supports compliance.
  • Security and Compliance: Meet security and compliance obligations using AWS best practices for key ownership, isolation, and management. AWS KMS helps you satisfy data residency requirements and manage keys according to your organization’s policies—all within the AWS ecosystem.
  • Separation of Duties: DBAs manage the database without access to TDE master keys. This separation improves security and follows the principle of least privilege.

How It Works

Oracle relies on the PKCS#11 (Public-Key Cryptography Standards #11) library as the underlying cryptographic interface for managing TDE keys within Oracle Databases. PKCS#11 is an industry-standard API that defines a platform-independent interface for cryptographic tokens and hardware security modules, providing a consistent way to perform cryptographic operations and key management functions.

In the context of Oracle Database@AWS and Exadata Database Service VM Clusters, this PKCS#11 library implementation serves as the critical bridge between Oracle’s TDE encryption framework and external key management systems. The library provides the necessary software layer that allows Oracle Database to communicate seamlessly with AWS KMS for cloud-native key management, or with Oracle Wallet for traditional file-based key storage.

Once the Exadata Database Service VM Cluster is provisioned and granted access to AWS KMS, all or some databases in the cluster can leverage AWS KMS as the primary TDE key store. During database creation, simply select key management as AWS Customer Managed Key and choose your registered key to use for encryption. Existing databases can also be seamlessly transitioned from the Oracle Wallet to AWS KMS for TDE key management—no complicated reconfiguration needed.

Get Started in a Few Steps 

  1. Create an AWS IAM role and configure the identity domain to allow the IAM role association to Exadata VM Clusters
  2. Create and register an AWS KMS Customer Managed Key 
  3. Enable AWS KMS integration for an Exadata Database Service VM Cluster and start using it for databases running on it

Learn More  

For more details and step-by-step instructions, refer to Oracle documentation