Tracking the Opaque Object associated with the AES Key
This section explains how to track the Opaque object associated with AES Key for CAKM for Oracle TDE 8.14.0 and above. This helps you to track and audit the mapping between Opaque Object and AES key.
While creating or rotating a master encryption key in CAKM for Oracle TDE, Oracle creates two objects on CipherTrust Manager:
AES Key
Opaque object
What is an AES Key?
An AES key is a symmetric encryption key used by the Advanced Encryption Standard (AES) algorithm to protect sensitive data and to securely encrypt the Data Encryption Key (DEK).
What is an Opaque Object?
An opaque object refers to a securely stored, non-readable structure, such as encrypted keys or metadata blobs.
How to track?
You can identify the AES key associated with the corresponding opaque object through the ALIASES and similarly, the Opaque object can be identified through the ALIASES of the associated AES key.
If the name of Opaque Object:
begins with
ORACLE.SECURITY.KM.ENCRYPTION.
, then the corresponding AES key can be identified by the prefixLINK.
in the respective ALIASES.begins with
ORACLE.SECURITY.KT.ENCRYPTION.
, then the corresponding AES key can be identified by the prefixLINK.KT.
in the respective ALIASES.begins with
ORACLE.SECURITY.CL.ENCRYPTION.
, then the corresponding AES key can be identified by the prefixLINK.CL.
in the respective ALIASES.
In the above example, you can identify the Opaque object associated with the AES Key through its ALIASES and similarly, the AES key can be identified through the ALIASES of the associated Opaque object.
Similarly, consider the Opaque Object, ORACLE.SECURITY.KT.ENCRYPTION.303634344644463934364341394634463639424630463142453338319
. You can identify the AES key associated with this opaque object through its ALIASES. In this case, the associated AES key is the ORACLE.TDE.HSM.MK.0644FDF946CA9F4F69BF0F1BE381744329
. Refer to the below image.
Important Points
For CAKM for Oracle TDE, version 8.11.0 to 8.13.0:
To identify the AES key associated with the Opaque object, convert the Hexadecimal value preceded by
ORACLE.SECURITY.KM.ENCRYPTION.
to the corresponding ASCII text.To identify the Opaque object associated with the AES key, convert the ASCII text preceded by
ORACLE.TDE.HSM.MK.
to the corresponding Hexadecimal value.
Consider the Opaque Object, ORACLE.SECURITY.KM.ENCRYPTION.<Hexadecimal value>
. So, after converting the Hexadecimal value to the corresponding ASCII text, the respective AES key will be ORACLE.TDE.HSM.MK.<ASCII text>
.
Example:
For Opaque Object, ORACLE.SECURITY.KM.ENCRYPTION.30363137343541453342444145343446344342464541423433324646313343364243
, convert the Hexadecimal value (30363137343541453342444145343446344342464541423433324646313343364243) to ASCII text. So, the respective Key will be ORACLE.TDE.HSM.MK.061745AE3BDAE44F4CBFEAB432FF13C6BC
.