This blog is co-authored with Gauri Gorhe, Senior Program Manager | Azure Solutions and Ecosystem
We’re excited to announce Azure Key Vault integration with Exadata Database Service on Oracle Database@Azure. Customers can now store and manage Transparent Data Encryption (TDE) keys, also known as master encryption keys (MEKs), in Azure Key Vault (AKV). This provides Azure customers with a unified key management solution for both applications and Oracle databases that supports AKV Standard, AKV Premium, and AKV Managed HSM options within Azure Key
Choose the Right Key Management Option
Oracle Database@Azure customers can now choose between AKV Standard, AKV Premium and AKV Managed HSM key management options tailored for different security, compliance, isolation and performance needs.
For more information on choosing the right Azure key management solution, please refer to this Microsoft article.
Benefits for Azure Customers
Oracle databases are encrypted, by default, using TDE on Oracle Database@Azure. Oracle offers multiple solutions for managing TDE keys and secrets: Oracle Wallet, OCI Vault, and Oracle Key Vault (OKV). Now, Azure Key Vault is also available for managing TDE keys and consolidates key operations into a single, intuitive interface for Oracle Database@Azure. Customers can create, rotate, and store keys through a unified workflow that automatically enforces security policies and compliance requirements. Customers benefit from:
- Intuitive interface for vault and key management
- Comprehensive key rotation for both container and pluggable databases
- Easy transition of key management from Oracle Wallet to Azure Key Vault
Using Azure Key Vault with Exadata Database Service
An Exadata Database Service VM Cluster on Oracle Database@Azure can now natively connect with Azure Key Vault. Once connectivity is established and the VM Cluster is granted access to a vault, all databases within the cluster can use Azure Key Vault as the primary key store. During the database creation, two key management options are available:
- Oracle Wallet (default): Stores the TDE key in a file-based wallet
- Azure Key Vault: Stores the TDE key in an Azure-managed vault
Select the vault and key that are authorized to be used by the VM Cluster. Customers can also switch key management from using a file-based wallet to an Azure-managed vault for an already provisioned Oracle database.
Summary
As modern enterprises increasingly span multiple cloud providers, unified key management has become a critical operational requirement. The Oracle Database@Azure native integration of Azure Key Vault for Exadata Database Service enables Azure customers to manage TDE keys using familiar Azure tools and workflows. Standardizing encryption key management across the entire technology stack with a unified framework encompassing both applications and Oracle databases helps customers streamline operations and benefit from both Oracle and the Azure ecosystem.