Thales CipherTrust Data Security Platform CAKM MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Thales CipherTrust Data Security Platform CAKM MCP ServerCheck TDE status for all databases"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Thales CipherTrust Data Security Platform CAKM MCP Server
A Model Context Protocol (MCP) server for Database EKM/TDE operations using CipherTrust Application Key Management (CAKM).
🔑 Features
Resource-Based Management: Tools are organized by the database objects they manage (e.g., keys, encryption, wallets), not just by actions.
Operational Grouping: Each tool exposes multiple
operations(e.g.,create,list,rotate) for comprehensive lifecycle management.Unified Status & Auditing: A single tool (
status_tde_ekm) provides health, compliance, and configuration monitoring across all supported databases.Advanced Oracle TDE Detection: Intelligent detection of Oracle TDE configurations including:
HSM-only TDE: Direct HSM wallet usage
HSM with Auto-login: Forward migrated configurations (HSM primary, auto-login secondary)
FILE wallet TDE: Password-based software wallets
FILE with Auto-login: Standard or reverse migrated configurations
Migration Status Recognition: Automatically identifies forward/reverse migration states based on wallet order and types
Database TDE Operations: Encrypt, decrypt, and manage TDE on multiple database types.
CipherTrust Integration: Seamless integration with CipherTrust Manager via CAKM EKM.
Multi-Database Support: SQL Server and Oracle Database.
Key Rotation: Automated encryption key rotation with key management on Thales CipherTrust Manager.
🎥 Watch Demo Video - See the MCP server in action managing database encryption
🚀 Quick Start
Clone the Repository
# Clone the repository
git clone https://github.com/sanyambassi/thales-cdsp-cakm-mcp-server.git
cd thales-cdsp-cakm-mcp-serverInstallation
# Install dependencies
uv venv && source .venv/bin/activate # Linux/Mac
# uv venv && .venv\Scripts\activate # Windows
uv pip install -e .
# Configure (copy the example configuration)
# Note: Create your own .env file with database connection details
# See docs/PREREQUISITES.md for configuration examples
# Test connections
uv run python -m database_tde_server --test-connectionsUsage
# Start the MCP server
uv run python -m database_tde_server📦 Installing uv
This project uses uv to manage dependencies and run scripts. Please install it using one of the methods below.
Windows (PowerShell):
powershell -c "irm https://astral.sh/uv/install.ps1 | iex"Linux, macOS, and other shells:
curl -LsSf https://astral.sh/uv/install.sh | shFor more information, visit the uv installation guide.
🔧 Available Tools
Core Tools
list_database_connections(): Lists all configured database connections.
Unified Status & Auditing
status_tde_ekm(): Provides a unified interface to monitor the health, configuration, and compliance of TDE across both SQL Server and Oracle.
SQL Server Tools
manage_sql_ekm_objects(): Manages EKM providers, credentials, and their associated server logins.manage_sql_keys(): Manages the lifecycle of cryptographic keys (Asymmetric Master Keys and DEKs), including creation, listing, dropping, and rotation.manage_sql_encryption(): Encrypts or decrypts one or more SQL Server databases.
Oracle Tools
manage_oracle_tde_deployment(): Handles high-level TDE deployment workflows like initial setup or migration to/from an HSM.manage_oracle_configuration(): Manages TDE-related database parameters.manage_oracle_wallet(): Performs all wallet-specific actions (open, close, backup, manage auto-login).manage_oracle_keys(): Manages the lifecycle of Master Encryption Keys (MEKs), including rotation and listing.manage_oracle_tablespace_encryption(): Manages the encryption and decryption of specific tablespaces.
🤖 AI Assistant Integration
Add to your AI assistant configuration:
Claude Desktop
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Cursor AI (mcp.json)
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Gemini CLI (settings.json)
{
"mcpServers": {
"database-tde": {
"command": "uv",
"args": ["run", "python", "-m", "database_tde_server"],
"cwd": "/path/to/cakm-mcp-server-sql-oracle",
"env": {
"DB_TDE_SERVER_NAME": "database-tde-mcp",
"DB_TDE_LOG_LEVEL": "INFO",
"DB_TDE_DATABASE_CONNECTIONS": "[{\"name\":\"prod_sql\",\"db_type\":\"sqlserver\",\"host\":\"sql-prod.company.com\",\"port\":1433,\"username\":\"tde_admin\",\"password\":\"secure_password\"},{\"name\":\"oracle_cdb1\",\"db_type\":\"oracle\",\"host\":\"oracle-prod.company.com\",\"port\":1521,\"username\":\"sys\",\"password\":\"oracle_password\",\"oracle_config\":{\"oracle_home\":\"/u01/app/oracle/product/21.0.0/dbhome_1\",\"oracle_sid\":\"cdb1\",\"service_name\":\"orcl\",\"mode\":\"SYSDBA\",\"wallet_root\":\"/opt/oracle/wallet\"},\"ssh_config\":{\"host\":\"oracle-prod.company.com\",\"username\":\"oracle\",\"private_key_path\":\"/path/to/private-key.pem\",\"port\":22,\"timeout\":30}}]"
}
}
}
}Architecture Overview
MCP Server ↔ Database Server ↔ CAKM Provider/Library ↔ CipherTrust ManagerNote: This MCP server communicates only with database servers. The CAKM providers installed on database servers handle all communication with CipherTrust Manager.
Oracle TDE Enablement Logic
The server uses Oracle-documented logic to determine TDE status based on wallet configurations and TDE parameters:
✅ TDE is ENABLED when:
Any wallet shows
OPENstatus AND Master Encryption Keys (MEKs) exist
📊 Wallet Order Types (from Oracle V$ENCRYPTION_WALLET):
SINGLE: Only one wallet type configured
PRIMARY: Primary wallet in a dual-wallet configuration
SECONDARY: Secondary wallet in a dual-wallet configuration
🔧 TDE Configuration Parameter Values:
FILE: TDE configured to use FILE wallets only
HSM: TDE configured to use HSM wallets only
HSM|FILE: TDE configured with HSM as primary, FILE as secondary
FILE|HSM: TDE configured with FILE as primary, HSM as secondary
📊 Supported TDE Scenarios:
HSM-only TDE: HSM wallet OPEN (SINGLE), TDE_CONFIGURATION=HSM
HSM with Auto-login (Migrated): HSM wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=HSM|FILE
HSM with Auto-login (Not Migrated): HSM wallet OPEN (PRIMARY), auto-login wallet OPEN_NO_MASTER_KEY (SECONDARY), TDE_CONFIGURATION=HSM|FILE
FILE wallet TDE: PASSWORD wallet OPEN (SINGLE), TDE_CONFIGURATION=FILE
FILE with Auto-login (Reverse Migrated): PASSWORD wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=FILE|HSM
FILE with Auto-login: PASSWORD wallet OPEN (PRIMARY), auto-login wallet OPEN (SECONDARY), TDE_CONFIGURATION=FILE
🔍 Migration Detection Logic:
Forward Migration: HSM becomes PRIMARY (HSM|FILE configuration) → Database migrated from FILE to HSM
Reverse Migration: FILE becomes PRIMARY (FILE|HSM configuration) → Database migrated from HSM back to FILE
WALLET_ORDER and TDE_CONFIGURATION are correlated to determine the migration state
📋 Status Information:
TDE configuration parameters validate the expected wallet hierarchy
Wallet order and TDE_CONFIGURATION together determine the deployment scenario
🔧 Oracle TDE Operations Guide
The oracle_tde_deployment tool provides different operations for various TDE setup scenarios:
Operation Types & Use Cases
1. HSM-Only TDE Setup (No Auto-login)
{
"oracle_connection": "oracle_cdb2",
"operation": "setup_hsm_only",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"auto_restart": true
}Use when: "Skip auto-login wallet creation" or "HSM only"
Creates: HSM keystore only
Result: Manual wallet opening required after restarts
No software_wallet_password needed
2. Complete TDE Setup (HSM + Auto-login)
{
"oracle_connection": "oracle_cdb2",
"operation": "setup_hsm_with_autologin",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"software_wallet_password": "Thales123!",
"auto_restart": true
}Use when: "Set up complete TDE with auto-login"
Creates: HSM + software wallet + auto-login keystore
Result: Database starts automatically without manual intervention
Requires software_wallet_password
3. Add Auto-login to Existing TDE
{
"oracle_connection": "oracle_cdb2",
"operation": "add_autologin",
"ciphertrust_username": "tdeuser",
"ciphertrust_password": "Thales123!",
"ciphertrust_domain": "TDE",
"software_wallet_password": "Thales123!",
"auto_restart": true
}Use when: Database has HSM TDE, want to add auto-login
Creates: Software wallet + auto-login for existing HSM setup
Requires software_wallet_password
4. Check TDE Status
{
"oracle_connection": "oracle_cdb2",
"operation": "get_tde_status"
}Use when: Want to see current TDE configuration
Returns: Comprehensive wallet and TDE status
No credentials needed
Quick Reference
"Skip auto-login" → Use
setup_hsm_only"Complete TDE setup" → Use
setup_hsm_with_autologin"Add auto-login to existing" → Use
add_autologin"Check what I have" → Use
get_tde_status
📚 References:
Example Prompts
"Show me the TDE status of all my databases"
"For my 'prod_sql' connection, list all the asymmetric keys using the 'manage_sql_keys' tool"
"Rotate the master key on the 'Db05' database using the 'prod_sql' connection"
"Encrypt the 'SalesDB' database on my 'prod_sql' server"
"What is the wallet status for my 'oracle_cdb2' connection?"Important Notes
Automatic Database Restarts: When specified in prompts, MCP tools can automatically restart Oracle databases as part of TDE operations
SSH Authentication: Oracle connections support both private key and password authentication
Private key: Use
"private_key_path": "/path/to/key.pem"in ssh_configPassword: Use
"password": "your_ssh_password"in ssh_config (instead of private_key_path)
Supported Databases: Microsoft SQL Server and Oracle Database are supported
📚 Documentation
Prerequisites - System requirements and setup
Testing Guide - Comprehensive testing procedures
Example Prompts - Ready-to-use testing prompts for SQL Server and Oracle
🤝 Contributing
Fork the repository
Create a feature branch
Make your changes
Add tests for new functionality
Ensure all tests pass
Submit a pull request
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sanyambassi/thales-cdsp-cakm-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server