3 Encryption Endpoints (Agents)
OKM supports a variety of encryption endpoints (also referred to as agents), such as:
- Encryption capable tape drives
- Oracle Transparent Database Encryption (TDE) 11g and higher
- Oracle ZFS Storage Appliance
- Oracle Solaris 11 ZFS file systems
Potential Threats
Customers with encryption-enabled agents should be aware of potential threats.
- Disclosure of information in violation of policy
- Loss or destruction of data
- Unacceptable delay in restoring data in case of catastrophic failure (for example, in a business-continuity site)
- Undetected modification of data.
Encryption Endpoint Tools
Encryption endpoint tools enable applications to obtain keys from an OKM cluster.
KMS PKCS#11 Provider
KMS PKCS#11 allows certain platforms to integrate with OKM.
A KMS PKCS#11 provider, known as pkcs11_kms, accompanies the Oracle Key Manager release. The Solaris version is bundled with the OSAn administrator can download the Linux PKCS#11 KMS provider from the My Oracle Support website and install it on an Oracle Enterprise Linux server. The KMS PKCS#11 provider has the same security characteristics and authenticates with Oracle Key Manager appliances as other agents do.
- The Solaris version of the PKCS#11 provider is bundled with the Solaris operating system.
- The Linux version of the PKCS#11 provider is available for download from the My Oracle Support web page, and can be installed on the Oracle Enterprise Linux server.
The KMS PKCS#11 provider has the same security characteristics and authenticates with Oracle Key Manager appliances as other agents do.
The KMS PKCS#11 provider is available for the following platforms:
- Oracle Solaris 11
- Oracle Linux Server 5, 6, or 7
- Oracle Database 11g or 12c on a supported pkcs11_kms platform
- Oracle ZFS Storage Appliance running 2014.x or later
For more information about the KMS PKCS#11 provider, refer to the Oracle Key Manager 3 Installation and Administration Guide.