My Oracle Support Banner

DB MEK Key Staying Within OKV Enhancement (Doc ID 2843972.1)

Last updated on FEBRUARY 01, 2022

Applies to:

Oracle Key Vault - Version 18.5.0.0 and later
Information in this document applies to any platform.

Goal

Up until 21.3 the Database (Endpoint) Master Encryption Keys (MEK), which are stored in the OKV, were exiting the OKV server and getting saved in the database (endpoint) memory (when Persistent Cache was turned ON). Databases were able to retrieve the DB MEK key from the DB memory and decrypt/encrypt database TDE keys.

In the upcoming 21.4 version this functionality will be altered - the Database (Endpoint) MEK keys will never leave the OKV and instead the database TDE keys will come to the OKV to get decrypted/encrypted by the DB MEK key. Had a couple of questions regarding this new functionality:

1. When the OKV servers are upgraded to 21.4 is it required to upgrade the endpoint software to 21.4 to take advantage of this new functionality? Can an older version of endpoint software (18.5) still be able to communicate to the 21.4 OKV server and take advantage of this new functionality without upgrading the endpoint software?

2. What impact would this have on performance as it will probably increase traffic between the DB (endpoint) and OKV servers.
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.