We have started to research how pairing an HSM with Oracle 12c TDE works. We have struggled to find documentation stating where the exact cryptographic operations occur. As we understand the HSM would store the "master key" which is then used to decrypt the table space keys that are stored in Oracle. The Table Space keys are then used to decrypt the table space. Our question is geared towards whether the table space encryption occurs on the database or if all encryption/decryption would occur in the HSM. If the HSM is only used to decrypt the table space keys, then when do those operations occur? Do they occur when the database starts up or every time that a request is made to the database? We are trying to determine if pairing an HSM with Oracle TDE would cause serious performance issues and would just be good to know in general from security stand point.
Thanks for the help