Key Vault

Secure key storage, management, and distribution

We engineered Oracle Key Vault to deliver performant, fault-tolerant, and flexible encryption key management for TDE, part of Oracle Advanced Security. Key Vault has been purpose-built to support all database deployment options, including Oracle Real Application Clusters (Oracle RAC); Oracle Data Guard, including Oracle Data Guard per pluggable database; globally distributed (sharded) databases; and Oracle Multitenant pluggable databases.

Key Vault scales to support highly consolidated workloads on engineered systems, such as Oracle Exadata, Oracle Exadata Database Service on Dedicated Infrastructure, Oracle Exadata Database Service in Azure, Oracle Exadata Database Service in AWS, and Oracle Exadata Database Service in Google Cloud.

Key Vault has been fully integrated into the database provisioning workflow of the following:

• Oracle Exadata Cloud@Customer
• Oracle Autonomous Database on Dedicated Exadata Infrastructure
• Oracle Autonomous Database on Exadata Cloud@Customer
• Autonomous Database Serverless

SSH key management

Oracle Key Vault delivers consolidated control over remote SSH server access using public key authentication. Exercise complete key governance of non-extractable private keys by generating and retaining SSH key pairs in Key Vault.

Blog: Simplify and secure SSH key management

Centralized secrets storage and distribution

Reduce complexity and strengthen security by centrally storing and delivering passwords, tokens, SSH keys, Java KeyStores, certificates, wallets, and other secrets to authorized users and servers.

Losing one of these secrets can be catastrophic. Key Vault helps mitigate that risk while maximizing availability and reducing management burden and deployment effort.

Scale without downtime

Continuously available multi-master cluster deployments support up to 16 fully replicated Key Vault nodes, each capable of read/write operations. Scale the cluster without downtime, support geographically distributed systems, and enable high levels of resource utilization with no idle standby servers. Clone cluster nodes from a Key Vault template, enabling node additions and removals with a few RESTful API calls.

Tested and certified

Oracle Key Vault works seamlessly throughout the Oracle ecosystem, with support for Oracle Database, Oracle MySQL, Oracle Exadata, Oracle RAC, Oracle Data Guard, sharded databases, GoldenGate encrypted trail files, and Oracle ZFS Storage Appliance. Key Vault supports KMIP-compatible databases, such as MongoDB. Key Vault addresses the demanding performance requirements of a busy IT stack, providing secure, centralized storage and management of keys and secrets in a highly available key management cluster.

Easy to deploy

Key Vault is available in the Oracle Cloud Marketplace, with prebuilt images to get you started in just a few minutes. Key Vault clusters offer fault-tolerant, continuous key management services to on-premises and multicloud database deployments. Key Vault nodes work seamlessly across environments, including on-premises data centers, Oracle Cloud, Microsoft Azure, and Amazon Web Services.

• Leverage Oracle Cloud’s resiliency by installing Key Vault cluster nodes into different availability domains within the same region or across different Oracle Cloud regions.
• Benefit from the flexible deployment options by increasing or decreasing the size of the OCI VM shape.
• Scale Key Vault to meet requirements by adding or removing nodes on-premises or in the cloud.

RESTful APIs

Key Vault provides RESTful APIs for cluster monitoring, database enrollment, and automation, allowing the management of large database deployments and reducing administration costs by eliminating the repetitive tasks of manual database registration. A refreshed management console with new dashboards and built-in reports allows administrators to quickly drill down into the various keys and secrets, along with the endpoints and their users.