After enabling a TDE keystore to use an HSM, the DBA continues normal TDE database administration processes, such as backing up the TDE keystore independent of the database backup, pairing the TDE keystore backup with the database backups, and updating the TDE keystore to database hot standby and replicas.

The following sections describe tasks that a DBA may occasionally need to perform to maintain HSM security for keystores:

The DBA is not normally involved in managing the HSM product or the token upon which the TDE keystore depends. These tasks are managed by the HSM administrator or security administrator, as described in Coordinate HSM administration tasks.