Using IBM Security Guardium Key Lifecycle Manager as the Oracle Transparent Data Encryption (TDE) external security module

Oracle TDE transparently encrypts data at rest in the Oracle databases. The encryption keys used to encrypt the Oracle database table columns and tablespaces are wrapped by the TDE master key, which can be stored in an external security module. You can configure IBM Security Guardium Key Lifecycle Manager as the external security module to store this master key.

IBM Security Guardium Key Lifecycle Manager is a software keystore, but for some versions of Oracle, it needs to be configured as HSM. To interface with Oracle TDE, IBM Security Guardium Key Lifecycle Manager provides a PKCS #11 library that you can download from the graphical user interface.

System requirements for Oracle TDE configuration

Before you begin, ensure that your Oracle setup meets the following requirements:
  • Oracle is installed on Linux x86_64 and Windows x86_64 operating systems.
  • The minimum supported version is Oracle 12c.
  • On Windows, Microsoft Visual Studio C++ 2015 or higher version is installed.
  • On Windows, Visual C++ libraries are installed.

You can configure Oracle TDE with a stand-alone IBM Security Guardium Key Lifecycle Manager server. For more information, see Configuring Oracle Transparent Data Encryption (TDE). To achieve high-availability, you can configure Oracle TDE on a Multi-Master or replication setup. For more information, see Configuring Oracle TDE on a Multi-Master or replication setup.

For more information about Oracle TDE, see Using Transparent Data Encryption.