A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that all PII columns be transparently encrypted and that the encryption keys be stored in AWS CloudHSM. Which solution meets these requirements?
Oracle TDE provides transparent column encryption, and CloudHSM can serve as the hardware security module for key storage.
Why this answer
Option D is correct because Oracle TDE with CloudHSM integration allows transparent encryption and stores keys in CloudHSM. Option A is wrong because RDS Encryption uses KMS, not CloudHSM. Option B is wrong because Oracle Data Pump does not encrypt columns.
Option C is wrong because RDS does not support custom encryption at the column level natively.