To use HSM-based encryption, a Master Encryption Key (MEK) must be generated and securely stored within the Hardware Security Module (HSM). This key is the root for encrypting and decrypting Oracle database columns and tablespaces.
The HSM architecture clearly separates general database operations and cryptographic functions. This separation enables role-based access control, allowing database and security administrators to manage their responsibilities independently. For example, the keystore password can be withheld from the database administrator, requiring the security administrator to provide it when needed, thereby enhancing overall security.
Unlike software-based keystores, the HSM is a physical device that protects the MEK from unauthorized access. All cryptographic operations involving the MEK are executed within the secure boundaries of the HSM, ensuring that the key is never exposed to system memory or vulnerable software layers.
We have used Windows Server while performing this integration. The SQL commands use Windows-style paths; change the path according to the appropriate operating system.