> use a hsm and your keys dont end up lost, unless the hsm eats them. > http://www.oracle.com/technetwork/database/security/hsms-for-oracle-tde-404784.html Excellent piece of advise. We used HSMs from SafeNet to store the keys of our PKI's CA. These devices are not cheap, but if your organization is ISO 27 001 or is expected to comply with several security regulations in your country, then they are quite inevitable. Make sure you have two of them at the very least. Because you will need one to test your procedures. And those procedures can be quite a challenge to put together. Well, actually I think the amount of paper work related to these systems might even be bigger then the actual work required to get them up and running! Have fun, DA+ -- //www.freelists.org/webpage/oracle-l