Oracle Key Vault is a full-stack software appliance that contains an operating system, database, and key-management application to help organizations store and manage their keys and credentials.
The administrators should deploy Key Vault in a secure location and typically need not access the internal components of the appliance for day-to-day operations. However, there are patches and scenarios where administrators might need to physically access the machine, or directly connect to the internal operating system via SSH. When an HSM is deployed with Oracle Key Vault, the Root of Trust (RoT) remains in the HSM. The HSM RoT protects the wallet password, which protects the TDE master key, which in turn protects all the encryption keys, certificates, and other security artifacts managed by the Oracle Key Vault server. This mitigates the risk of administrators potentially extracting keys and credentials from systems they can physically access. The HSM in this RoT usage scenario does not store any customer encryption keys. Customer keys are stored and managed directly by the Oracle Key Vault server.
Utimaco CryptoServer is a hardware security module or HSM, a physically protected specialized computer unit designed to securely perform sensitive cryptographic operations, manage and store cryptographic keys and data.
This guide is part of the information and support provided by Utimaco. Additional documentation produced to support your Utimaco CryptoServer product can be found in the document directory of the Utimaco SecurityServer product bundle. All Utimaco CryptoServer product documentation is available from Utimaco’s web site at