If managing encryption keys and secrets across hybrid and multi-cloud environments seems complex, Oracle Key Vault 21.11 is here to simplify that challenge—with powerful new features that improve security, automate compliance, and reduce downtime.
Oracle Key Vault 21.11 makes it easier to manage keys and secrets for Oracle databases, GoldenGate, and Exadata deployments—regardless of where they run. New capabilities include:
This release update also includes full-stack patching to address security and stability issues in the embedded operating system, database, and Key Vault application.
Enterprises running Exadata Database Service across different cloud service providers may need full control over their Transparent Data Encryption (TDE) keys. You can now use Oracle Key Vault as the external key store for Exadata Database Service (ExaDB-D) in OCI, Azure, AWS, and Google Cloud. This extends Key Vault’s existing support for ADB-S, ADB-D, ADB-C@C and ExaDB-C@C databases. Using Key Vault with your Oracle Cloud Databases gives you unified control and auditability for encryption keys—no matter where your Exadata workloads live—enabling regulatory compliance and operational consistency.
Learn more here.
Expired or non-compliant certificates can expose your environment to avoidable risks. New certificate monitoring reports in Oracle Key Vault 21.11 highlight certificates expiring in 30, 60, or 90 days—and flag those that need attention quickly. Certificates may drift out of compliance, for example, when their lifetime exceeds a newly-defined shorter lifetime. With certificate monitoring, you can review such out-of-compliance certificates and take necessary action. You can also view the key sizes used for certificates to help verify they are policy compliant.
Periodically rotating encryption keys is critical, but it can be hard to track across a large database fleet. OKV 21.11 introduces a new report that lists active TDE master keys along with their activation time, helping you identify databases that haven’t generated a new key recently and are in violation of rotation policies—for example, the INVENTORY database in the image below:
Building on the earlier support for managing keys for encrypted GoldenGate trail files, Key Vault now centrally manages GoldenGate database passwords. This makes it easier to rotate passwords and prevent credential leakage.
Traditionally Key Vault PKCS#11 library upgrades on the endpoint databases require database restarts, leading to service interruptions. For example, on an Exadata machine, you would need to shut down all database instances running on the host to patch the PKCS#11 library. Key Vault 21.11 adds new endpoint provisioning capability that enables the Oracle Database 23ai to dynamically load an updated Key Vault PKCS#11 library—no restart required. You can apply upgrades on a per-database basis without taking systems offline, reducing operational friction.
Some customers implement independent Key Vault clusters where each cluster serves an independent set of databases. For example, you might have one cluster for testing and one for production. Moving databases across different Key Vault clusters currently involves time-consuming manual steps to securely move encryption keys and associated secrets. Key Vault 21.11 introduces a streamlined method to transfer TDE master keys between Key Vault clusters. You can now simplify dev/test workflows and reduce the risk of key-handling errors during such database migrations.
Compared to Key Vault 21.10, the latest release update, Key Vault 21.11, incorporates fixes for reported vulnerabilities in underlying components:
Oracle strongly recommends that you upgrade existing deployments to Oracle Key Vault 21.11 for increased stability and security. Key Vault's cluster architecture supports zero downtime for database targets during Key Vault cluster node upgrades.
For new installations, you can download Key Vault 21.11 from the Oracle Software Delivery Cloud. In addition, you can launch Key Vault 21.11 from the Oracle Cloud Marketplace in your OCI tenancy in minutes (watch “Click to Deploy”).
Oracle Key Vault provides continuously available, fault-tolerant, and highly scalable, centralized key and secrets management for Oracle Database, MySQL, GoldenGate, ZFS Storage Appliance, ZDLRA, SSH, and custom applications. You can deploy Oracle Key Vault in Oracle Cloud Infrastructure (OCI), Microsoft Azure, Amazon AWS, Google Cloud, and on-premises on dedicated hardware or virtual machines.
Key Vault sets the standard for security, automation, scalability, and continuous availability with its software appliance form factor, fault-tolerant multi-master cluster architecture, hybrid deployment capability, and comprehensive RESTful APIs.
Oracle Key Vault 21, the third major release of Key Vault, simplifies the administration of keys and secrets for environments with many endpoints. It is the only purpose-built key management product designed to support the wide variety of Oracle Database deployment models, including Real Application Clusters (RAC), Data Guard, Globally Distributed (sharded) databases, Multitenant, and cloud databases.
Visit the Key Vault product page at: https://www.oracle.com/security/database-security/key-vault
Test drive Key Vault 21.11 in the Oracle Key Vault LiveLabs workshop.
Peter Wahl is the Senior Principal Product Manager for Oracle Database Transparent Data Encryption and Oracle Key Vault and has over 25 years of experience in various security areas. Peter has also been a member of Oracle field engineering team, working with some of the largest Oracle Database customers. Peter is a certified Oracle Cloud Infrastructure Architect Associate and holds a Master’s Degree in Electrical Engineering from the University of Applied Sciences in Ravensburg, Germany.
Next Post