Oracle Key Vault 21.11 adds key management for Exadata Database Service and secrets management for Oracle GoldenGate

July 7, 2025 | 5 minute read
Peter Wahl
Senior Principal Product Manager - Database Encryption and Key Management
Text Size 100%:

If managing encryption keys and secrets across hybrid and multi-cloud environments seems complex, Oracle Key Vault 21.11 is here to simplify that challenge—with powerful new features that improve security, automate compliance, and reduce downtime.

Oracle Key Vault 21.11 makes it easier to manage keys and secrets for Oracle databases, GoldenGate, and Exadata deployments—regardless of where they run. New capabilities include:

  • Multicloud key management for Exadata Database Service (ExaDB-D)
  • Monitoring certificate expiration and compliance
  • Monitoring fleet-wide TDE master key rotation
  • Centralized database account password management for Oracle GoldenGate 
  • Zero-downtime client library upgrades for Oracle Database 23ai
  • Simplified key transport for database relocation across Key Vault clusters

This release update also includes full-stack patching to address security and stability issues in the embedded operating system, database, and Key Vault application.

Multicloud key management for Exadata Database Service (ExaDB-D)

Enterprises running Exadata Database Service across different cloud service providers may need full control over their Transparent Data Encryption (TDE) keys. You can now use Oracle Key Vault as the external key store for Exadata Database Service (ExaDB-D) in OCI, Azure, AWS, and Google Cloud. This extends Key Vault’s existing support for ADB-S, ADB-D, ADB-C@C and ExaDB-C@C databases. Using Key Vault with your Oracle Cloud Databases gives you unified control and auditability for encryption keys—no matter where your Exadata workloads live—enabling regulatory compliance and operational consistency. 

Learn more here.

Monitoring Certificate Expiry and Compliance

Expired or non-compliant certificates can expose your environment to avoidable risks. New certificate monitoring reports in Oracle Key Vault 21.11 highlight certificates expiring in 30, 60, or 90 days—and flag those that need attention quickly. Certificates may drift out of compliance, for example, when their lifetime exceeds a newly-defined shorter lifetime. With certificate monitoring, you can review such out-of-compliance certificates and take necessary action. You can also view the key sizes used for certificates to help verify they are policy compliant. 

Two pie chart displaying certificate key sizes and remaining lifetime
Figure 1: New certificate report displays certificate key sizes and remaining lifetime.

Monitoring TDE master key rotation across the fleet

Periodically rotating encryption keys is critical, but it can be hard to track across a large database fleet. OKV 21.11 introduces a new report that lists active TDE master keys along with their activation time, helping you identify databases that haven’t generated a new key recently and are in violation of rotation policies—for example, the INVENTORY database in the image below:
 

Table of TDE master encryption keys
Figure 2: Report identifying databases with aged TDE master keys.

Centralized database account password management for Oracle GoldenGate

Building on the earlier support for managing keys for encrypted GoldenGate trail files, Key Vault now centrally manages GoldenGate database passwords. This makes it easier to rotate passwords and prevent credential leakage.

Table displaying GoldenGate database account passwords.
Figure 3: Centralized view of database passwords used for GoldenGate accounts.

Zero-downtime client library upgrade for Oracle Database 23ai

Traditionally Key Vault PKCS#11 library upgrades on the endpoint databases require database restarts, leading to service interruptions. For example, on an Exadata machine, you would need to shut down all database instances running on the host to patch the PKCS#11 library. Key Vault 21.11 adds new endpoint provisioning capability that enables the Oracle Database 23ai to dynamically load an updated Key Vault PKCS#11 library—no restart required. You can apply upgrades on a per-database basis without taking systems offline, reducing operational friction.

Simplified key transport for database relocation across Key Vault clusters  (Preview feature)

Some customers implement independent Key Vault clusters where each cluster serves an independent set of databases. For example, you might have one cluster for testing and one for production. Moving databases across different Key Vault clusters currently involves time-consuming manual steps to securely move encryption keys and associated secrets. Key Vault 21.11 introduces a streamlined method to transfer TDE master keys between Key Vault clusters. You can now simplify dev/test workflows and reduce the risk of key-handling errors during such database migrations.

Vulnerability fixes

Compared to Key Vault 21.10, the latest release update, Key Vault 21.11, incorporates fixes for reported vulnerabilities in underlying components:

  • Eight CVEs addressed in the embedded Oracle Database from the two Critical Patch Updates, April 2025 and January 2025.
  • Sixty-two CVEs addressed for the underlying components including Oracle APEX, Oracle Rest Data Services (ORDS), Oracle Java SE, Oracle Autonomous Health Framework (AHF), and Oracle GoldenGate from the two Critical Patch Updates, April 2025 and January 2025.
  • CVE fixes for the embedded Oracle Linux 8.10 operating system.

Upgrade to Oracle Key Vault 21.11 today

Oracle strongly recommends that you upgrade existing deployments to Oracle Key Vault 21.11 for increased stability and security. Key Vault's cluster architecture supports zero downtime for database targets during Key Vault cluster node upgrades.

For new installations, you can download Key Vault 21.11 from the Oracle Software Delivery Cloud. In addition, you can launch Key Vault 21.11 from the Oracle Cloud Marketplace in your OCI tenancy in minutes (watch “Click to Deploy”).

About Key Vault

Oracle Key Vault provides continuously available, fault-tolerant, and highly scalable, centralized key and secrets management for Oracle Database, MySQL, GoldenGate, ZFS Storage Appliance, ZDLRA, SSH, and custom applications. You can deploy Oracle Key Vault in Oracle Cloud Infrastructure (OCI), Microsoft Azure, Amazon AWS, Google Cloud, and on-premises on dedicated hardware or virtual machines.

Key Vault sets the standard for security, automation, scalability, and continuous availability with its software appliance form factor, fault-tolerant multi-master cluster architecture, hybrid deployment capability, and comprehensive RESTful APIs.

Oracle Key Vault 21, the third major release of Key Vault, simplifies the administration of keys and secrets for environments with many endpoints. It is the only purpose-built key management product designed to support the wide variety of Oracle Database deployment models, including Real Application Clusters (RAC), Data Guard, Globally Distributed (sharded) databases, Multitenant, and cloud databases.

For more information:

Visit the Key Vault product page at:  https://www.oracle.com/security/database-security/key-vault
Test drive Key Vault 21.11 in the Oracle Key Vault LiveLabs workshop.
 

Peter Wahl

Senior Principal Product Manager - Database Encryption and Key Management

Peter Wahl is the Senior Principal Product Manager for Oracle Database Transparent Data Encryption and Oracle Key Vault and has over 25 years of experience in various security areas. Peter has also been a member of Oracle field engineering team, working with some of the largest Oracle Database customers. Peter is a certified Oracle Cloud Infrastructure Architect Associate and holds a Master’s Degree in Electrical Engineering from the University of Applied Sciences in Ravensburg, Germany.

Show more

Previous Post

What's new for Developers in Oracle Database 23.7

Gerald Venzl | 14 min read

Next Post


Getting Started with Exadata Database Service on Oracle Database@AWS

Tammy Bednar | 6 min read