Thales CipherTrust Data Security Platform CAKM MCP Server
A Model Context Protocol (MCP) server for Database EKM/TDE operations using CipherTrust Application Key Management (CAKM).
š Features
- Resource-Based Management: Tools are organized by the database objects they manage (e.g., keys, encryption, wallets), not just by actions.
- Operational Grouping: Each tool exposes multiple
operations(e.g.,create,list,rotate) for comprehensive lifecycle management. - Unified Status & Auditing: A single tool (
status_tde_ekm) provides health, compliance, and configuration monitoring across all supported databases. - Advanced Oracle TDE Detection: Intelligent detection of Oracle TDE configurations including:
- HSM-only TDE: Direct HSM wallet usage
- HSM with Auto-login: Forward migrated configurations (HSM primary, auto-login secondary)
- FILE wallet TDE: Password-based software wallets
- FILE with Auto-login: Standard or reverse migrated configurations
- Migration Status Recognition: Automatically identifies forward/reverse migration states based on wallet order and types
- Database TDE Operations: Encrypt, decrypt, and manage TDE on multiple database types.
- CipherTrust Integration: Seamless integration with CipherTrust Manager via CAKM EKM.
- Multi-Database Support: SQL Server and Oracle Database.
- Key Rotation: Automated encryption key rotation with key management on Thales CipherTrust Manager.
š„ Watch Demo Video - See the MCP server in action managing database encryption
š Quick Start
Clone the Repository
# Clone the repository
git clone https://github.com/sanyambassi/thales-cdsp-cakm-mcp-server.git
cd thales-cdsp-cakm-mcp-serverInstallation
# Install dependencies
uv venv && source .venv/bin/activate # Linux/Mac
# uv venv && .venv\Scripts\activate # Windows
uv pip install -e .
# Configure (copy the example configuration)
# Note: Create your own .env file with database connection details
# See docs/PREREQUISITES.md for configuration examples
# Test connections
uv run python -m database_tde_server --test-connectionsUsage
# Start the MCP server
uv run python -m database_tde_serverš¦ Installing uv
This project uses uv to manage dependencies and run scripts. Please install it using one of the methods below.
Windows (PowerShell):
powershell -c "irm https://astral.sh/uv/install.ps1 | iex"Linux, macOS, and other shells:
curl -LsSf https://astral.sh/uv/install.sh | shFor more information, visit the uv installation guide.
š§ Available Tools
- Core Tools
list_database_connections(): Lists all configured database connections.
- Unified Status & Auditing
status_tde_ekm(): Provides a unified interface to monitor the health, configuration, and compliance of TDE across both SQL Server and Oracle.
- SQL Server Tools
manage_sql_ekm_objects(): Manages EKM providers, credentials, and their associated server logins.manage_sql_keys(): Manages the lifecycle of cryptographic keys (Asymmetric Master Keys and DEKs), including creation, listing, dropping, and rotation.manage_sql_encryption(): Encrypts or decrypts one or more SQL Server databases.
- Oracle Tools
manage_oracle_tde_deployment(): Handles high-level TDE deployment workflows like initial setup or migration to/from an HSM.manage_oracle_configuration(): Manages TDE-related database parameters.manage_oracle_wallet(): Performs all wallet-specific actions (open, close, backup, manage auto-login).manage_oracle_keys(): Manages the lifecycle of Master Encryption Keys (MEKs), including rotation and listing.manage_oracle_tablespace_encryption(): Manages the encryption and decryption of specific tablespaces.
š¤ AI Assistant Integration
Add to your AI assistant configuration:
Claude Desktop
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Cursor AI (mcp.json)
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Gemini CLI (settings.json)
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Architecture Overview
MCP Server ā Database Server ā CAKM Provider/Library ā CipherTrust ManagerNote: This MCP server communicates only with database servers. The CAKM providers installed on database servers handle all communication with CipherTrust Manager.
Oracle TDE Enablement Logic
The server uses Oracle-documented logic to determine TDE status based on wallet configurations and TDE parameters:
ā TDE is ENABLED when:
- Any wallet shows
OPENstatus AND Master Encryption Keys (MEKs) exist
š Wallet Order Types (from Oracle V$ENCRYPTION_WALLET):
- SINGLE: Only one wallet type configured
- PRIMARY: Primary wallet in a dual-wallet configuration
- SECONDARY: Secondary wallet in a dual-wallet configuration
š§ TDE Configuration Parameter Values:
- FILE: TDE configured to use FILE wallets only
- HSM: TDE configured to use HSM wallets only
- HSM|FILE: TDE configured with HSM as primary, FILE as secondary
- FILE|HSM: TDE configured with FILE as primary, HSM as secondary
š Supported TDE Scenarios:
- HSM-only TDE: HSM wallet OPEN (SINGLE), TDE_CONFIGURATION=HSM
- HSM with Auto-login (Migrated): HSM wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=HSM|FILE
- HSM with Auto-login (Not Migrated): HSM wallet OPEN (PRIMARY), auto-login wallet OPEN_NO_MASTER_KEY (SECONDARY), TDE_CONFIGURATION=HSM|FILE
- FILE wallet TDE: PASSWORD wallet OPEN (SINGLE), TDE_CONFIGURATION=FILE
- FILE with Auto-login (Reverse Migrated): PASSWORD wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=FILE|HSM
- FILE with Auto-login: PASSWORD wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=FILE
š Migration Detection Logic:
- Forward Migration: HSM becomes PRIMARY (HSM|FILE configuration) ā Database migrated from FILE to HSM
- Reverse Migration: FILE becomes PRIMARY (FILE|HSM configuration) ā Database migrated from HSM back to FILE
- WALLET_ORDER and TDE_CONFIGURATION are correlated to determine the migration state
š Status Information:
- TDE configuration parameters validate the expected wallet hierarchy
- Wallet order and TDE_CONFIGURATION together determine the deployment scenario
š§ Oracle TDE Operations Guide
The oracle_tde_deployment tool provides different operations for various TDE setup scenarios:
Operation Types & Use Cases
1. HSM-Only TDE Setup (No Auto-login)
{
"oracle_connection": "oracle_cdb2",
"operation": "setup_hsm_only",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"auto_restart": true
}- Use when: "Skip auto-login wallet creation" or "HSM only"
- Creates: HSM keystore only
- Result: Manual wallet opening required after restarts
- No software_wallet_password needed
2. Complete TDE Setup (HSM + Auto-login)
{
"oracle_connection": "oracle_cdb2",
"operation": "setup_hsm_with_autologin",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"software_wallet_password": "Thales123!",
"auto_restart": true
}- Use when: "Set up complete TDE with auto-login"
- Creates: HSM + software wallet + auto-login keystore
- Result: Database starts automatically without manual intervention
- Requires software_wallet_password
3. Add Auto-login to Existing TDE
{
"oracle_connection": "oracle_cdb2",
"operation": "add_autologin",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"software_wallet_password": "Thales123!",
"auto_restart": true
}- Use when: Database has HSM TDE, want to add auto-login
- Creates: Software wallet + auto-login for existing HSM setup
- Requires software_wallet_password
4. Check TDE Status
{
"oracle_connection": "oracle_cdb2",
"operation": "get_tde_status"
}- Use when: Want to see current TDE configuration
- Returns: Comprehensive wallet and TDE status
- No credentials needed
Quick Reference
- "Skip auto-login" ā Use
setup_hsm_only - "Complete TDE setup" ā Use
setup_hsm_with_autologin - "Add auto-login to existing" ā Use
add_autologin - "Check what I have" ā Use
get_tde_status
š References:
Example Prompts
"Show me the TDE status of all my databases"
"For my 'prod_sql' connection, l
ā¦