Thales e-Security Blog

Database Encryption Key Management

Kristina Cairns
Kristina Cairns More About This Author >

Streamlining operations and improving security

Large data scale breaches have led an increasing number of companies to embrace comprehensive encryption strategies to protect their assets. According to our 2018 Global Encryption Trends Study, 43% of respondents report that their organization has an encryption strategy they apply across the enterprise, compared with 15% in 2005.

While the accelerated growth of encryption strategies is great news for data security, organizations must bear in mind that with any encryption-based security scheme, securing and managing keys is as important as the encryption itself.

Database Encryption Key Management

Microsoft SQL and Oracle Database Key Management Challenges

Microsoft SQL Server and Oracle Database solutions provide native transparent data encryption (TDE) that protect the data stored in their customers’ enterprise and cloud-hosted databases. As is intrinsic to any encryption scheme, however, managing the associated keys presents challenges such as separating them from the data they protect and storing them securely.

Encryption key management challenges multiply as organizations use multiple databases for different purposes, each requiring dedicated key management to ensure that keys are properly stored, backed up and secured. With multiple database solutions each requiring their own encryption keys, management becomes more complex and exacerbates the risks of having keys lost or stolen.

Solutions for Transparent Database Encryption

With a dedicated centralized key management solution you can overcome these challenges. Benefits include:

  • Streamlined operations through centralized key management. Reduce costs and effort associated with managing encryption keys for disparate databases, and free up security teams to work on other priorities.
  • Stronger security by separating keys from databases. Ensure that keys are properly stored, backed up and secured in a separate location—an industry best practice.
  • Fulfill compliance mandates. Leverage FIPS-certified hardware and software solutions.

Thales eSecurity offers two solutions to support TDE applications: Vormetric Key Management in concert with the Vormetric Data Security Manager (DSM) and key management using nShield Hardware Security Modules (HSMs). Both offer the opportunity to expand your solutions to a wide set of applications; the option you choose to manage your TDE keys will depend largely on other functions you want to support with your Thales eSecurity solution.

How it Works

Thales key management solutions complement Microsoft SQL TDE by providing secure storage and management of the keys used in Microsoft’s database encryption scheme. Microsoft TDE encrypts the sensitive data in the SQL database using a database encryption key (DEK), and Thales interfaces with Microsoft Extensible Key Management (EKM) to store and manage the DEKs in the Vormetric DSM or nShield HSM.

The Vormetric Key Manager and nShield HSMs complement Oracle Database TDE by centrally storing and managing Oracle Database encryption keys. As a part of the Oracle Advanced Security TDE two-tier key architecture, Oracle Database uses master encryption key (MEKs) to encrypt the DEKs, which are used to encrypt columns and tablespaces within the databases. Thales key management solutions interface through the Oracle Wallet to protect and manage the MEKs within a secure FIPS-certified boundary.

Choosing the Right Solution

Picking the right solution for TDE applications will depend largely on other functions an organization wishes to support with their Thales eSecurity solution. For example, if a business plans to support a public key infrastructure (PKI) or needs an environment for secure code execution, they will likely choose an nShield solution. Alternatively, if the organization needs more comprehensive encryption such as database or files, Vormetric products will be the more suitable choice.

To learn more about how Thales eSecurity can help you simplify and strengthen key management for your enterprise database encryption solution download our TDE Key Management solution brief.