Tracking the Opaque Object associated with the AES Key
This section explains how to track the Opaque object associated with AES Key for CAKM for Oracle TDE 8.14.0 and above. This helps you to track and audit the mapping between Opaque Object and AES key.
While rotating or creating a master key in CAKM for Oracle TDE, Oracle creates two objects on CipherTrust Manager:
AES Key
Opaque object
For more information on Opaque object and AES Key, click here.
How to track?
You can identify the key associated with the corresponding opaque object through the ALIASES and similarly, the Opaque object can be identified through the ALIASES of the associated Key.
Consider an example where the Opaque object and Key is created on CipherTrust Manager after rotating or creating a master key. Refer to the screen below.
In the above example, you can identify the Opaque object associated with the AES Key through its ALIASES and similarly, the AES key can be identified through the ALIASES of the associated Opaque object.
Important Points
For CAKM for Oracle TDE 8.13.0 and below (up to 8.11.0):
To identify the key associated with the Opaque object, convert the Hexadecimal value preceded by
ORACLE.SECURITY.KM.ENCRYPTION.
to the corresponding ASCII text.To identify the Opaque object associated with the Key, convert the ASCII text preceded by
ORACLE.TDE.HSM.MK.
to the corresponding Hexadecimal value.
Consider the Opaque Object, ORACLE.SECURITY.KM.ENCRYPTION.<Hexadecimal value>
. So, after converting the Hexadecimal value to the corresponding ASCII text, the respective Key will be ORACLE.TDE.HSM.MK.<ASCII text>
.
Example:
For Opaque Object, ORACLE.SECURITY.KM.ENCRYPTION.30363137343541453342444145343446344342464541423433324646313343364243
, convert the Hexadecimal value (30363137343541453342444145343446344342464541423433324646313343364243) to ASCII text. So, the respective Key will be ORACLE.TDE.HSM.MK.061745AE3BDAE44F4CBFEAB432FF13C6BC
.