Assigning Keys

This topic describes how to assign keys to supported resources and how to remove those key assignments when no longer needed.

Instead of using an encryption key that Oracle manages, you can assign master encryption keys that you manage to block or boot volumes, databases, file systems, buckets, and stream pools. Block Volume, Database, File Storage, Object Storage, and Streaming use the keys to decrypt the data encryption keys that protect the data that is stored by each respective service. By default, these services rely on Oracle-managed master encryption keys for cryptographic operations. When you remove a Vault master encryption key assignment from a resource, the service returns to using an Oracle-managed key for cryptography.

You can also assign master encryption keys to clusters that you create using Container Engine for Kubernetes to encrypt Kubernetes secrets at rest in the etcd key-value store.

For information about managing the creation and usage of master encryption keys and key versions, see Managing Keys. For information specifically about creating keys with your own key material, see Importing Keys and Key Versions. For information about how you can use keys in cryptographic operations, see Using Keys. For information about what you can do with vaults where you store keys, see Managing Vaults.

Required IAM Policy

Caution

Keys associated with volumes, buckets, file systems, clusters, and stream pools will not work unless you authorize Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming to use keys on your behalf. Additionally, you must also authorize users to delegate key usage to these services in the first place. For more information, see Let a user group delegate key usage in a compartment and Let Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools in Common Policies. Keys associated with databases will not work unless you authorize a dynamic group that includes all nodes in the DB system to manage keys in the tenancy. For more information, see Required IAM Policy in Creating and Managing Exadata Databases.

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

To assign a key to a new Object Storage bucket
  1. Open the navigation menu and click Storage. Under Object Storage, click Buckets.
  2. Under List Scope, in the Compartment list, choose the compartment where you want to create a bucket that's encrypted with a Vault service master encryption key.
  3. Click Create Bucket, and then follow the instructions in To create a bucket in Managing Buckets.

To assign a key to an existing Object Storage bucket
  1. Open the navigation menu and click Storage. Under Object Storage, click Buckets.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the bucket that you want to encrypt with a Vault service master encryption key.
  3. From the list of buckets, click the bucket name.

  4. Do one of the following:

    • If the bucket already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.
    • If the bucket does not already have a key assigned to it, next to Encryption Key, click Assign.
  5. Choose the vault compartment, vault, key compartment, and key.

  6. When you are finished, click Assign or Update, as appropriate.

To assign a key to a new Block Volume
  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volumes.
  2. Under List Scope, in the Compartment list, choose the compartment where you want to create a block volume that's encrypted with a Vault service master encryption key.
  3. Click Create Block Volume, and then follow the instructions in Creating a Volume.

To assign a key to an existing Block Volume
  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volumes.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the block volume that you want to encrypt with a Vault service master encryption key.
  3. From the list of volumes, click the volume name.
  4. If the volume is currently attached to an instance, click Detach from Instance. Follow the instructions in the Detach Block Volume dialog box as appropriate, click Continue Detachment, and then click OK.
  5. Then, do one of the following:

    • If the volume already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.
    • If the volume does not already have a key assigned to it, next to Encryption Key, click Assign.
  6. Choose the vault compartment, vault, key compartment, and key.

  7. When you are finished, click Assign or Update, as appropriate.

To assign a key to a new file system
  1. Open the navigation menu and click Storage. Under File Storage, click File Systems.
  2. Under List Scope, in the Compartment list, choose the compartment where you want to create a file system that's encrypted with a Vault service master encryption key.
  3. Click Create File System, and then follow the instructions in Creating File Systems.

To create a Compute instance with an encrypted boot volume
  1. Open the navigation menu and click Compute. Under Compute, click Instances.
  2. Under List Scope, in the Compartment list, choose the compartment where you want to create an instance with a boot volume that's encrypted with a Vault service master encryption key.
  3. Click Create Instance, and then follow the instructions in Launching an Instance.

To assign a key to an existing boot volume
Note

To assign a key to an existing boot volume, you must first detach the boot volume from any instance. However, you can only detach a boot volume from an instance when the instance is stopped. For more information, see Detaching a Boot Volume and Stopping and Starting an Instance.
  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volumes. In the Block Storage menu on the sidebar, click Boot Volumes.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the boot volume that you want to encrypt with a Vault service master encryption key.
  3. From the list of volumes, click the volume name.
  4. Do one of the following:

    • If the volume already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.
    • If the volume does not already have a key assigned to it, next to Encryption Key, click Assign.
  5. Choose the vault compartment, vault, key compartment, and key.

  6. When you are finished, click Assign or Update, as appropriate.

To create a Kubernetes cluster with encrypted secrets in the etcd key-value store
Note

These instructions assume you have already followed the steps in Encrypting Kubernetes Secrets at Rest in Etcd and created:

  • a dynamic group including all clusters in the compartment
  • a suitable policy to give the dynamic group access to the master encryption key in Vault
  1. Open the navigation menu and click Developer Services. Under Containers, click Kubernetes Clusters (OKE).

  2. Under List Scope, in the Compartment list, choose the compartment where you want to create a Kubernetes cluster that has Kubernetes secrets encrypted with a Vault service master encryption key.
  3. Click Create Cluster, follow the instructions under Using the Console to create a Cluster with Explicitly Defined Settings in the 'Custom Create' workflow in Creating a Kubernetes Cluster, and select the Encrypt Using Customer-Managed Keys option.

To assign a key to a new stream pool
  1. Open the navigation menu and click Analytics & AI. Under Messaging, click Streaming.
  2. Under List Scope, in the Compartment list, choose the compartment where you want to create a stream pool that's encrypted with a Vault service master encryption key.
  3. Click Create Stream Pool, and then follow the instructions in To create a stream pool in Managing Stream Pools.

To change or remove the master encryption key assigned to an existing stream pool
  1. Open the navigation menu and click Analytics & AI. Under Messaging, click Streaming.
  2. Click Stream Pools.
  3. Click a stream pool to display the stream details page.
  4. In Stream Pool Information, next to Encryption Key, do one of the following:
    • To stop using an Oracle-managed key in favor of a Vault master encryption key that you manage, click Assign, select a vault and encryption key you have access to, and then click Assign.
    • To select a different Vault master encryption key that you manage, click Edit, select a vault and encryption key you have access to, and then click Update.
    • Click Unassign to remove the assigned Vault master encryption key and let Oracle manage the encryption key, and then click Unassign again to confirm the removal of the existing key assignment.
To remove a key assignment from a bucket
  1. Open the navigation menu and click Storage. Under Object Storage, click Buckets.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the bucket from which you want to remove a Vault service key assignment.
  3. From the list of buckets, click the bucket name.
  4. Next to Encryption Key, click Unassign.

  5. In the Confirm dialog box, click OK to remove the key assignment from the bucket.

To remove a key assignment from a Block Volume
  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volumes.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the block volume from which you want to remove a Vault service key assignment.
  3. From the list of volumes, click the volume name.
  4. Next to Encryption Key, click Unassign.

  5. In the Confirm dialog box, click OK to remove the key assignment from the volume.

To remove a key assignment from a boot volume
  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volumes. In the Block Storage menu on the sidebar, click Boot Volumes.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the boot volume from which you want to remove a Vault service key assignment.
  3. From the list of volumes, click the volume name.
  4. Next to Encryption Key, click Unassign.

  5. In the Confirm dialog box, click OK to remove the key assignment from the volume.

To change a key assignment for a file system
  1. Open the navigation menu and click Storage. Under File Storage, click File Systems.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the file system from which you want to remove or change a Vault service key assignment.
  3. From the list of file systems, click the file system name.
  4. Next to Encryption Key, click Edit.

  5. If you want to use Oracle-managed keys:

    • In Encryption Type, select Encrypt using Oracle-managed keys.
  6. If you want to assign a different customer-managed key: 

    • In Encryption Type, select Encrypt using customer-manged keys.
    • Choose the vault compartment, vault, key compartment, and key.
  7. When you are finished, click Save Changes.

To create an X7 or X8 Exadata DB system
Tip

Oracle recommends using the new Exadata Cloud Service resource model when provisioning a new service instance. The new resource model is compatible with all available Exadata shape families (X7, X8, and X8M).

The DB system resource described in this topic will be deprecated after a period where both resource models are supported. If you need to provision a service instance using the DB system resource model, you will be able to switch the instance to the new resource model. See To switch an Exadata DB system to the new Exadata resource model for more information. Customers with existing Exadata DB systems will be notified in advance regarding the deprecation of the DB system resource model.

  1. Open the navigation menu. Click Oracle Database, then click Bare Metal, VM, and Exadata.
  2. Click Create DB System.
  3. On the Create DB System page, provide the basic information for the DB system:

    • Select a compartment: By default, the DB system launches in your current compartment and you can use the network resources in that compartment.
    • Name your DB system: A friendly, display name for the DB system. The name doesn't need to be unique. An Oracle Cloud Identifier (OCID) will uniquely identify the DB system. Avoid entering confidential information.
    • Select an availability domain: The availability domain  in which the DB system resides.
    • Select a shape type: The shape type you select sets the default shape and filters the shape options in the next field.

      When you select Exadata, you are asked if you would like to use the newer Exadata resource model that replaces the DB system resource with a cloud Exadata infrastructure resource and a cloud VM cluster. These resources are compatible with X7, X8, and X8M hardware generations. Click Continue Creating DB System if you do not want to use the new resource model.

    • Select a shape: The shape determines the type of DB system and the resources allocated to the system. To specify a shape other than the default, click Change Shape, and select an available shape from the list. See Exadata Fixed Hardware Shapes: X6, X7, X8 and Exadata Base for available shapes in Oracle Cloud Infrastructure.

      Note that the X8M shape is not available when using the DB system resource model.

    • Configure the DB system: Specify the following:

      • Total node count: The number of nodes in the DB system. The number depends on the shape you select.
      • Oracle Database software edition: The database edition supported by the DB system. Exadata DB systems only support Enterprise Edition - Extreme Performance.
      • CPU core count: The number of CPU cores for the DB system. The text below the field indicates the acceptable values for that shape. The core count is evenly divided across the nodes.

        You can increase the CPU cores to accommodate increased demand after you launch the DB system.

        For an X8 or X7 Exadata DB system, or an Exadata base system, you can specify zero (0) CPU cores when you launch the system. This will provision the system and immediately stop it. See Scaling CPU Cores Within an Exadata Cloud Service Instance for information about CPU core scaling and the impact on billing. Oracle recommends that if you are not provisioning a stopped system (0 cores), that you specify at least 2 cores per node.

    • Configure storage: Specify the following:

      • Cluster Name: (Optional) A unique cluster name for a multi-node DB system. The name must begin with a letter and contain only letters (a-z and A-Z), numbers (0-9) and hyphens (-). The cluster name can be no longer than 11 characters and is not case sensitive. Avoid entering confidential information.
      • Storage Allocation: The configuration settings that determine the percentage of storage assigned to DATA, RECO, and optionally, SPARSE disk:
        • Database Backups on Exadata Storage: Select this option if you intend to perform database backups to the local Exadata storage within your Exadata DB system environment. If you select this option, more space is allocated to the RECO disk group, which is used to store backups on Exadata storage. If you do not select this option, more space is allocated to the DATA disk group, which enables you to store more information in your databases.
        • Create Sparse Disk Group: Select this configuration option if you intend to use snapshot functionality within your Exadata DB system environment. If you select this option, the SPARSE disk group is created, which enables you to use Exadata DB system snapshot functionality for PDB sparse cloning. If you do not select this option, the SPARSE disk group is not created and Exadata DB system snapshot functionality will not be available on any database deployments that are created in the environment.
        Important

        Creating a sparse disk group impacts the storage available for the ASM disk groups (DATA and RECO) and you cannot change the storage allocation configuration after you provision your DB system. For information about the percentage of storage that will be assigned to DATA, RECO, and SPARSE disk based on your configuration, see Storage Configuration. Similar information will display under the options in the Console dialog.

    • Add public SSH keys: The public key portion of each key pair you want to use for SSH access to the DB system. You can browse or drag and drop .pub files, or paste in individual public keys. To paste multiple keys, click + Another SSH Key, and supply a single key for each entry.
    • Choose a license type: The type of license you want to use for the DB system. Your choice affects metering for billing.

      • License Included means the cost of the cloud service includes a license for the Database service.
      • Bring Your Own License (BYOL) means you are an Oracle Database customer with an Unlimited License Agreement or Non-Unlimited License Agreement and want to use your license with Oracle Cloud Infrastructure. This removes the need for separate on-premises licenses and cloud licenses.
  4. Specify the network information:

    • Virtual cloud network: The VCN in which to launch the DB system. Click Change Compartment to select a VCN in a different compartment.
    • Client subnet: The subnet to which the Exadata DB system should attach. Click Change Compartment to select a subnet in a different compartment.

       Do not use a subnet that overlaps with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance. Specifying an overlapping subnet causes the private interconnect to malfunction.

    • Backup subnet: The subnet to use for the backup network, which is typically used to transport backup information to and from Oracle Cloud InfrastructureObject Storage, and for Data Guard replication. Click Change Compartment to select a subnet in a different compartment, if applicable.

      Do not use a subnet that overlaps with 192.168.128.0/20. This restriction applies to both the client subnet and backup subnet.

      If you plan to back up databases to Object Storage, see the network prerequisites in Managing Exadata Database Backups.

    • Network Security Groups: Optionally, you can specify one or more network security groups (NSGs) for both the client and backup networks. NSGs function as virtual firewalls, allowing you to apply a set of ingress and egress security rules to your DB system. A maximum of five NSGs can be specified. For more information, see Network Security Groups and Network Setup for Exadata Cloud Service Instances.

      Note that if you choose a subnet with a security list, the security rules for the DB system will be a union of the rules in the security list and the NSGs.

      To use network security groups:

      • Check the Use Network Security Groups to Control Client Traffic check box. Note that you must have already selected a VCN to be able to assign NSGs to the client network.
      • Specify the NSG to use with the client network. You might need to use more than one NSG. If you're not sure, contact your network administrator.
      • To use additional NSGs with the client network, click + Another Network Security Group.
      • Check the Use Network Security Groups to Control Backup Traffic check box.
      • Specify the NSG to use with the backup network just as described previously for the client subnet.
    • Hostname prefix: Your choice of host name for the Exadata DB system. The host name must begin with an alphabetic character, and can contain only alphanumeric characters and hyphens (-). The maximum number of characters allowed for an Exadata DB system is 12.

      Important

      The host name must be unique within the subnet. If it is not unique, the DB system will fail to provision.
    • Host domain name: The domain name for the DB system. If the selected subnet uses the Oracle-provided Internet and VCN Resolver for DNS name resolution, this field displays the domain name for the subnet and it can't be changed. Otherwise, you can provide your choice of a domain name. Hyphens (-) are not permitted.

      If you plan to store database backups in Object Storage, Oracle recommends that you use a VCN Resolver for DNS name resolution for the client subnet because it automatically resolves the Swift endpoints used for backups.

    • Host and domain URL: Combines the host and domain names to display the fully qualified domain name (FQDN) for the database. The maximum length is 64 characters.
  5. Click Show Advanced Options to specify advanced options for the DB system:

    • Disk redundancy: Exadata DB systems support only high redundancy (3-way mirroring).
    • Time zone: The default time zone for the DB system is UTC, but you can specify a different time zone. The time zone options are those supported in both the Java.util.TimeZone class and the Oracle Linux operating system. For more information, see DB System Time Zone.

      Tip

      If you want to set a time zone other than UTC or the browser-detected time zone, and if you do not see the time zone you want, try selecting the Select another time zone, option, then selecting "Miscellaneous" in the Region or country list and searching the additional Time zone selections.

    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. After you completed the network configuration and any advanced options, click Next.
  7. Provide information for the initial database:

    • Database name: The name for the database. The database name must begin with an alphabetic character and can contain a maximum of eight alphanumeric characters. Special characters are not permitted.
    • Database version: The version of the initial database created on the DB system when it is launched. After the DB system is active, you can create additional databases on it. You can mix database versions on the DB system.

      Note

      If you plan to run Oracle Database 19c on your Exadata DB system, you must specify version 19c when you create the DB system. Earlier database versions are supported on a 19c Exadata DB system and can be created at anytime. Exadata DB systems created with earlier Oracle Database versions will not automatically support Oracle Database 19c. The DB system must be upgraded manually.
    • PDB name: Not applicable to version 11.2.0.4. The name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of 8 alphanumeric characters. The only special character permitted is the underscore ( _).
    • Create administrator credentials: A database administrator SYS user will be created with the password you supply.

      • Username: SYS
      • Password: Supply the password for this user. The password must meet the following criteria:

        A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.
      • Confirm password: Re-enter the SYS password you specified.
    • Select workload type: Choose the workload type that best suits your application:

      • Online Transactional Processing (OLTP) configures the database for a transactional workload, with a bias towards high volumes of random data access.
      • Decision Support System (DSS) configures the database for a decision support or data warehouse workload, with a bias towards large data scanning operations.
    • Configure database backups: Specify the settings for backing up the database to Object Storage:

      • Enable automatic backups: Check the check box to enable automatic incremental backups for this database.
      • Backup retention period: (Optional) If you enable automatic backups, you can choose one of the following preset retention periods: 7 days, 15 days, 30 days, 45 days, or 60 days. The default selection is 30 days.
      • Backup scheduling (UTC): If you enable automatic backups, you can choose a two-hour scheduling window to control when backup operations begin. If you do not specify a window, the six-hour default window of 00:00 to 06:00 (in the time zone of the DB system's region) is used for your database. See Automatic Incremental Backups for more information.
    • Click Show Advanced Options to specify advanced options for the initial database.

      In the Management tab you can specify the following options:

      • Character set: The character set for the database. The default is AL32UTF8.
      • National character set: The national character set for the database. The default is AL16UTF16.

      In the Encryption tab, Use Oracle-managed keys is the only selection and cannot be changed during this creation process. You can change encryption management to use encryption keys that you manage after the database is provisioned. See To administer Vault encryption keys for more information.

      In the Tags tab, you can add tags to the database. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.

  8. Click Create DB System. The DB system appears in the list with a status of Provisioning. The DB system's icon changes from yellow to green (or red to indicate errors).

    After the DB system's icon turns green in the list of DB systems and displays the Available status, you can click the highlighted DB system name to see details about the DB system. Note the IP addresses. You'll need the private or public IP address, depending on network configuration, to connect to the DB system.

To create a database in an existing Exadata Cloud Service instance
Note

If IORM is enabled on the Exadata Cloud Service instance, then the default directive will apply to the new database and system performance might be impacted. Oracle recommends that you review the IORM settings and make applicable adjustments to the configuration after the new database is provisioned.
  1. Open the navigation menu. Click Oracle Database, then click Exadata at Oracle Cloud.
  2. Choose your Compartment.
  3. Navigate to the cloud VM cluster or DB system you want to create the database in:

    Cloud VM clusters (new resource model): Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.

    DB systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, find the Exadata DB system you want to access, and then click its name to display details about it.

  4. Click Create Database.
  5. In the Create Database dialog, enter the following:

    • Database name: The name for the database. The database name must begin with an alphabetic character and can contain a maximum of eight alphanumeric characters. Special characters are not permitted.
    • Database version: The version of the database. You can mix database versions on the Exadata DB system.
    • PDB name: (Optional) For Oracle Database 12c (12.1.0.2) and later, you can specify the name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of eight alphanumeric characters. The only special character permitted is the underscore ( _).
    • Database Home: The Oracle Database Home for the database. Choose the applicable option:

      • Select an existing Database Home: The Database Home display name field allows you to choose the Database Home from the existing homes for the database version you specified. If no Database Home with that version exists, you must create a new one.
      • Create a new Database Home: A database home will be created using the database version and the Database Home display name you specified.
    • Create administrator credentials: A database administrator SYS user will be created with the password you supply.

      • Username: SYS
      • Password: Supply the password for this user. The password must meet the following criteria:

        A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.
      • Confirm password: Re-enter the SYS password you specified.
    • Select workload type: Choose the workload type that best suits your application:

      • Online Transactional Processing (OLTP) configures the database for a transactional workload, with a bias towards high volumes of random data access.
      • Decision Support System (DSS) configures the database for a decision support or data warehouse workload, with a bias towards large data scanning operations.
    • Configure database backups: Specify the settings for backing up the database to Object Storage:

      • Enable automatic backup: Check the check box to enable automatic incremental backups for this database. If you are creating a database in a security zone compartment, you must enable automatic backups.
      • Backup retention period: If you enable automatic backups, you can choose one of the following preset retention periods: 7 days, 15 days, 30 days, 45 days, or 60 days. The default selection is 30 days.
      • Backup Scheduling: If you enable automatic backups, you can choose a two-hour scheduling window to control when backup operations begin. If you do not specify a window, the six-hour default window of 00:00 to 06:00 (in the time zone of the DB system's region) is used for your database. See Automatic Incremental Backups for more information.
  6. Click Show Advanced Options to specify advanced options for the database:

    • Character set: The character set for the database. The default is AL32UTF8.
    • National character set: The national character set for the database. The default is AL16UTF16.
    • If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
    • If you are creating a database in an Exadata Cloud Service VM cluster, then you can choose to use encryption based on encryption keys that you manage. By default, the database is configured using Oracle-managed encryption keys. To configure the database with encryption based on encryption keys you manage:
      1. Click the Encryption tab.
      2. Select Use customer-managed keys. You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
        Note

        Oracle only supports AES-256 encryption keys.
      3. Choose a vault from the Vault in compartment drop-down. You can change the compartment by clicking the CHANGE COMPARTMENT link.
      4. Select an encryption key from the Master encryption key in compartment drop-down. You can change the compartment containing the encryption key you want to use by clicking the CHANGE COMPARTMENT link.
      5. If you want to use an encryption key that you import into your vault, then select Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
      Note

      • Oracle supports customer-managed keys on databases after Oracle Database 11g release 2 (11.2.0.4).
      • If you choose to provide an OCID for the valid key version, then ensure that the OCID corresponds to the key version you want to use.
  7. Click Create Database.

After database creation is complete, the status changes from Provisioning to Available, and on the database details page for the new database, the Encryption section displays the encryption key name and the encryption key OCID.

Caution

Do not delete the encryption key from the vault. This causes any database protected by the key to become unavailable.

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

Tip

Each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint. When using the CLI for key operations, you must provide the appropriate endpoint for the type of operation. To retrieve a vault's endpoints, see instructions in To view vault configuration details.
To assign a key to an Object Storage bucket

Open a command prompt and run oci os bucket create to create a bucket that is encrypted with a Vault service master encryption key:

oci os bucket create --name <bucket_name> --compartment-id <target_compartment_id> --kms-key-id <target_key_id>

For example:


oci os bucket create --name Bucket-1 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --namespace-name example_namespace

Avoid entering confidential information.

To update the key assigned to an Object Storage bucket

Open a command prompt and run oci os bucket update to update the Vault service master encryption key assigned to a bucket:

oci os bucket update --name <bucket_name> --namespace-name <your_namespace> --kms-key-id <target_key_id>

For example:


oci os bucket update --name Bucket-1 --namespace-name example_namespace --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
To create a block volume that's encrypted with a Vault key

Open a command prompt and run oci bv volume create to create a block volume that is encrypted with a Vault service master encryption key:

oci bv volume create --display-name <volume_name> --compartment-id <target_compartment_id> --size-in-gbs <volume_size> --availability-domain <target_availability_domain> --kms-key-id <target_key_id>

For example:


oci bv volume create --display-name EncryptedBlockVolume --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --size-in-gbs 50 --availability-domain AAbC:US-ASHBURN-AD-1 --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
Caution

Avoid entering confidential information in the volume name.
To update a key assigned to an existing Block Volume
Tip

If the volume is currently attached to an instance, you must first detach it. To do so, open a command prompt and run oci compute volume-attachment detach --volume-attachment-id <target_blockvolume-attachment_id>. For more information, see Oracle Cloud Infrastructure CLI Command Reference.

Open a command prompt and run oci bv volume-kms-key update to assign a new Vault service master encryption key to an existing block volume:

oci bv volume-kms-key update --volume-id <target_blockvolume_id> --kms-key-id <new_key_id>

For example:


oci bv volume-kms-key update --volume-id ocid1.volume.oc1.sea.examplerwzq7bnohn5vf6b7k4zkp54miqfcvg6xsuvkllgzzw63mfuu6z5fa --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
To create a boot volume that's encrypted with a Vault key

Open a command prompt and run oci bv boot-volume create to create a boot volume that is encrypted with a Vault service master encryption key:

oci bv boot-volume create --display-name <volume_name> --compartment-id <target_compartment_id> --size-in-gbs <volume_size> --availability-domain <target_availability_domain> --kms-key-id <target_key_id>

For example:


oci bv boot-volume create --display-name EncryptedBlockVolume --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --size-in-gbs 50 --availability-domain AAbC:US-ASHBURN-AD-1 --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
Caution

Avoid entering confidential information in the volume name.
To create a Compute instance with a boot volume that's encrypted with a Vault key
  1. First, create the JSON input for configuring the instance and boot volume: Open a command prompt and run oci compute instance launch --generate-full-command-json-input.
  2. Copy, and then paste the output from the command into a text file for editing. Edit the JSON to provide values appropriate for your tenancy and desired image operating system and instance shape. The following example shows the minimum settings required to create an instance and encrypted boot volume.

    {
    "availabilityDomain": "ABcD:US-ASHBURN-AD-1",
    "compartmentId": "ocid1.tenancy.oc1..examplea54hlbsiugecvb4g67tnth7ouk4iivkpysfauxcetd55uiunrykhq",
    "displayName": "InstanceWithEncryptedBootVolume",
    "metadata": {
    },
    "shape": "VM.Standard1.1",
    "subnetId": "ocid1.subnet.oc1.iad.exampleaurihk3x3yl2vcvb53uz22zgauoujtcwvtbxvfauxdvsjmdfv4dza",
    "sourceDetails": {
       "sourceType": "image",
       "imageId": "ocid1.image.oc1.iad.exampleaeookczfwutjxzcvb2gcdgdx4yk6xls7d5fhtlfauxzpaxdedny4a",
       "kmsKeyId": "ocid1.key.oc1.iad.exampleoaaeug.examplera4soq2vescvbjmwredhewtto7rlfauxhvme73y7jayxx6rpaenlq"
       }
    }
    Caution

    Avoid entering confidential information in the instance name.
  3. Save the file with a ".json" file extension.
  4. In the command prompt, run oci compute instance launch --from-json file://<file_path>, providing the location of the file you saved in the previous step. For example:

    oci compute instance launch --from-json file://c:\temp\compute-boot-volume.json
To update a key assigned to an existing boot volume
Tip

If the volume is currently attached to an instance, you must first detach the volume. To do so, you must first stop the instance. To stop an instance, open a command prompt and run oci compute instance action --instance-id <target_instance_id> --action STOP. Then, to detach the boot volume, run oci compute boot-volume-attachment detach --boot-volume-attachment-id <target_bootvolume-attachment_id>. For more information, see the Oracle Cloud Infrastructure CLI Command Reference.

Open a command prompt and run oci bv boot-volume-kms-key update to assign a new Vault service master encryption key to an existing boot volume:

oci bv boot-volume-kms-key update --boot-volume-id <target_bootvolume_id> --kms-key-id <new_key_id>

For example:


oci bv boot-volume-kms-key update --boot-volume-id ocid1.bootvolume.oc1.sea.exampless6hvjs6j6mqwcdv4gfzhtanon3fsqyviqeh522be6wv7x7abz7pq --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
To create a Kubernetes cluster with encrypted secrets in the etcd key-value store
Note

These instructions assume you have already followed the steps in Encrypting Kubernetes Secrets at Rest in Etcd and created:

  • a dynamic group including all clusters in the compartment
  • a suitable policy to give the dynamic group access to the master encryption key in Vault

Open a command prompt and run oci ce cluster create to create a cluster where Kubernetes secrets at rest in the etcd data-store are encrypted with a Vault service master encryption key:

oci ce cluster create --name <cluster_name> --compartment-id <target_compartment_id> --vcn-id <target_vcn_id> --kubernetes-version <kubernetes_version> --kms-key-id <target_key_id>

For example:


oci ce cluster create --name EncryptedCluster --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --vcn-id ocid1.vcn.oc1.iad.exampleexamplesgwertshsdgfy2muagjhrcmzhtp6c5fplejt3miqvyja --kubernetes-version v1.14.8 --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq
Caution

Avoid entering confidential information in the cluster name.
To remove the key assigned to an Object Storage bucket

Open a command prompt and run oci os bucket update to remove the Vault service master encryption key assigned to a bucket:

oci os bucket update --name <bucket_name> --namespace-name <your_namespace> --kms-key-id ""

For example:


oci os bucket update --name Bucket-1 --kms-key-id "" --namespace-name example_namespace
To remove a key assigned to a Block Volume

Open a command prompt and run oci bv volume-kms-key delete to remove the Vault service master encryption key assigned to an existing block volume:

oci bv volume-kms-key delete --volume-id <target_blockvolume_id>

For example:


oci bv volume-kms-key delete --volume-id ocid1.volume.oc1.sea.examplerwzq7bnohn5vf6b7k4zkp54miqfcvg6xsuvkllgzzw63mfuu6z5fa
To remove a key assigned to a Block Volume boot volume

Open a command prompt and run oci bv boot-volume-kms-key delete to remove the Vault service master encryption key assigned to an existing boot volume:

oci bv boot-volume-kms-key delete --boot-volume-id <target_bootvolume_id>

For example:


oci bv boot-volume-kms-key delete --boot-volume-id ocid1.bootvolume.oc1.sea.exampless6hvjs6j6mqwcdv4gfzhtanon3fsqyviqeh522be6wv7x7abz7pq

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to assign keys:

Container Engine for Kubernetes

Core Services

File Storage

Object Storage

Streaming