Oracle Key Vault (OKV) — General Information

Oracle Key Vault (OKV) is a centralized key management appliance designed to securely store and manage Transparent Data Encryption (TDE) master keys, Oracle Wallets, Java KeyStores, SSH keys, and credentials. By moving keys off local servers, OKV reduces key sprawl, automates rotation, and enforces strict access policies across on-premises and multi-cloud environments.

1. Core Architecture

• OKV Server: A hardened appliance (often deployed as a multi-master cluster) acting as the central repository for keys and policies.
• Endpoints: Registered clients (Oracle Database, MySQL, GoldenGate, etc.) that authenticate to OKV to fetch keys.
• Wallets (Virtual): Logical containers inside OKV used to group keys and secrets; access is granted per-endpoint.
• Interfaces: Web UI, okv CLI, okvutil, REST APIs, and C/Java client SDKs.

2. Essential Commands and Examples

A. Endpoint and Wallet Management (okv CLI / REST)

Create a new endpoint (generate JSON template, edit, then apply):

# Generate the template
okv admin endpoint create --generate-json > endpoint.json

# Populate endpoint.json, then create the endpoint
okv admin endpoint create --input endpoint.json

Create a virtual wallet:

okv manage-access wallet create --wallet-name ORA_DB_WALLET

Grant an endpoint access to a wallet:

okv manage-access wallet add-access --wallet ORA_DB_WALLET --endpoint DBTDEOKV_DB --access-level READ_WRITE

B. Migrating Local Keys to OKV (okvutil)

Use okvutil on the database host to upload a local wallet into OKV:

# Upload local wallet to OKV
$OKV_HOME/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/ORCL/wallet -g ORA_DB_WALLET

# The utility will prompt for the source wallet password and the OKV endpoint password.

C. Database Integration (SQL)

Set the database keystore configuration to prefer OKV:

ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=OKV|FILE' SCOPE=BOTH SID='*';

Migrate the TDE master key to OKV:

ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
	IDENTIFIED BY "okv_endpoint_pwd"
	MIGRATE USING "local_wallet_pwd" WITH BACKUP;

After verification, enforce OKV-only keystore:

ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=OKV' SCOPE=BOTH SID='*';

3. Tips and Best Practices

• High availability: Deploy OKV as a multi-master cluster (recommended; up to 16 read/write nodes) across availability domains.
• Auto-login for endpoints: During okvclient installation, pressing Enter when prompted can create cwallet.sso for auto-login; use carefully and follow security policy.
• Network: Open port 5696 (KMIP/TDE) between database hosts and OKV servers.
• Separation of duties: Assign System Administrator and Key Administrator roles to separate teams.
• SSH key management: Use OKV for centralized SSH private key generation and controlled non-extractable access.