Oracle Cloud Infrastructure Documentation

Protect Autonomous AI Database (Serverless)

Learn about various data protection methods available for Autonomous AI Database Serverless.

Data in Transit Encryption

Autonomous AI Database is protected with encryption of data in transit by default. This ensures that data moving between application and the database is secured from unauthorized interception or tampering. Oracle Net Services supports multiple industry-standard encryption algorithms including AES, DES, 3DES, and RC4 for securing data in transit. It also offers MD5, SHA-1, and SHA-2 hashing algorithms to verify data integrity.

All communication between clients and the database is encrypted using Oracle Net Services (SQL*Net). Two types of connection services are supported:
  1. TCPS (Secure TCP) Connections
    • Uses TLS 1.2 or TLS 1.3.
    • Requires a downloadable connection wallet.
    • Ensures symmetric encryption via secure handshake using the wallet.
    • TLS 1.3 support is available starting with Oracle AI Database 26ai.
  2. TCP Connections with Native Network Encryption
    • Uses Oracle’s built-in encryption protocol.
    • Negotiates encryption during connection (AES-256, AES-192, AES-128).
    • No wallet is required but connection details such as tnsnames.ora must be known.
Clients (applications and tools) connect to an Autonomous AI Database Serverless using Oracle Net Services (also known as SQL*Net) and predefined database connection services. Oracle Autonomous AI Database Serverless provides two types of database connection services, each employing its own method for encrypting data in transit between the database and the client.
  1. TCPS (Secure TCP) database connection services
    • It uses the industry-standard TLS 1.2 and TLS 1.3 (Transport Layer Security) protocol for connections. However, TLS 1.3 is only supported on Oracle AI Database 23ai or later.
    • When you create an Autonomous AI Database Serverless, a connection wallet is generated containing all the necessary files for a client to connect using TCPS. You should distribute this wallet only to clients who require database access. The client-side configuration uses information from the wallet to perform symmetric-key data encryption.
  2. TCP database connection services
    • It uses the Native Network Encryption crypto system built in Oracle Net Services to negotiate and encrypt data during transmission. For this negotiation, Autonomous AI Database Serverless are configured to require encryption using AES256, AES192 or AES128 cryptography.
    • Because encryption is negotiated when the connection is made, TCP connections do not require the connection wallet needed for TCPS connections. However, the client will still need information about the database connection services. This information is available by selecting DB Connection on the database's Autonomous AI Database Details page in the OCI console, and in the tnsnames.ora file included in the same downloadable ZIP file that contains the files necessary to connect using TCPS.
These connection services are designed to support different types of database operations:
  • tpurgent_tls and tpurgent: For high priority, time critical transaction processing operations.
  • tp_tls and tp: For typical transaction processing operations.
  • high_tls and high: For high priority reporting and batch operations.
  • medium_tls and medium: For typical reporting and batch operations.
  • low_tls and low: For low priority reporting and batch operations.
This screenshot shows database connection.

Encryption at Rest for Oracle AI Database@AWS

Oracle AI Database@AWS supports encryption at rest to safeguard sensitive data residing in database files, backups, and configuration files. This protection is enabled by Transparent Data Encryption (TDE), which ensures that data is encrypted whenever it is written to persistent storage and transparently decrypted when accessed by authorized Oracle processes with no customer configuration is required. The master key encrypts tablespace keys, which in turn encrypt the data.

Transparent Data Encryption (TDE)

Encryption at rest is provided through TDE, a feature included in Oracle Advanced Security. TDE automatically encrypts tablespaces, redo logs, and undo logs, ensuring that all database data is written to disk in encrypted form and transparently decrypted for authorized users and applications. Database backups created using Oracle Recovery Manager (RMAN) or managed backup solutions adopt these encryption settings, protecting all database copies stored on persistent media.

Key Management

TDE uses a master encryption key to protect your tablespaces and columns. For Oracle AI Database@AWS , there are two key management options:
  1. Oracle-managed keys: The master encryption key is automatically generated and stored in an Oracle Wallet, which is secured within the database environment. Oracle handles all key lifecycle tasks, including backups and restores.
  2. Customer-managed keys: You can integrate Oracle Autonomous AI Database with services like OCI Vault to generate and store the master encryption key outside the database, enabling centralized key control, lifecycle management, rotation, and auditing of key usage events. With customer-managed keys, you control the encryption keys used to protect your data. You can enable customer-managed keys when creating databases, switch from Oracle-managed to customer-managed keys, and rotate keys to meet security and compliance requirements.
Oracle Autonomous AI Database Service offers the following data at rest encryption methods:
  1. Oracle-managed Key (OMK)
  2. Customer-managed Key (CMK)
    • Oracle Cloud Infrastructure Vault
    • Oracle Key Vault (OKV)
    • AWS Key Management Service (AWS KMS)

  • Oracle-managed Key (OMK) is the default method for securing data encryption in Oracle AI Database@AWS. In Oracle AI Database, data encryption at rest is powered by TDE. When you choose OMK, the database system automatically handles all key management, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed Key on Oracle AI Database@AWS.

    View Encryption Details

    1. From Oracle AI Database@AWS dashboard, select Autonomous AI Databases Serverless, and then select name field of the Autonomous AI Database Serverless that you want to verify.
    2. From the central bar, select the Encryption tab. Review your encryption key details.
      1. The Key type section displays the current configuration. By default, this is set to Oracle-Managed Key.This screenshot shows how to verify encryption details.

  • Customer-Managed Keys on Oracle AI Database@AWS with OCI Vault

    Using customer-managed encryption keys on Oracle AI Database@AWS with Oracle Cloud Infrastructure (OCI) Vault service involves creating a master key in your OCI Vault and configuring your Oracle AI Database@AWS to use encryption keys in the OCI Vault.

    Complete the following steps to use customer-managed keys on Oracle AI Database with OCI Vault:

    1. Create an Oracle Cloud Infrastructure Vault (OCI Vault)

      For more information, see Create an Oracle Cloud Infrastructure Vault.

    2. Create a Master Encryption Key in the Vault

      For more information, see Create a Master Encryption Key in the Vault.

    3. Configure a Service Gateway, Route Rule, and Egress Security Rule

      For more information, see Configure a Service Gateway, Route Rule, and Egress Security Rule.

    4. Create an OCI Dynamic Group
      1. From the OCI console, select Oracle AI Database, and then select Autonomous AI Database.
      2. Select the name field of your Autonomous AI Database.
      3. Select the General information tab, scroll down to the General information section. Take a note of your Autonomous AI Database Compartment information.This screenshot shows how to obtain the compartment information.
      4. From the navigation menu , select Identity & Security, and then select Compartments.
      5. Locate the Compartment that you previously noted, and then take a note of the compartment OCID.This screenshot shows how to obtain the OCID information.
      6. From the navigation menu , select Identity & Security, and then select Domains.
      7. From the Applied filters section, select the Root Compartment and then choose the name of you domain.This screenshot shows how to create domain.
      8. Select the Dynamic groups tab, and then select the Create dynamic group button.
        1. Name: Enter a descriptive name for the group.
        2. Description: Provide a brief description of the dynamic group’s purpose.
        3. Matching Rules: Enter the following statement, replacing <your_Compartment_OCID> with the compartment OCID you noted in the previous step:
          ALL {resource.compartment.id = '<your_Compartment_OCID>'}
        4. Review your information, and then select the Create button.
        This screenshot shows how to create dynamic group.
    5. Create an OCI Policy
      1. From the navigation menu , select Identity & Security, and then select Policies.
      2. In the Applied Filter section, select the Root Compartment, and then select the Create Policy button.
        1. Name: Enter a descriptive name for the group.
        2. Description: Provide a brief description of the dynamic group’s purpose.
        3. Enable the Show manual editor button, and then enter the following statements. Replace <dynamic-group-name> with the name of the dynamic group created in the previous step, and <your_Compartment_OCID> with your specific compartment OCID:
          
Allow dynamic-group <dynamic-group-name> to manage keys in compartment id <your_Compartment_OCID>
          This screenshot shows how to create policy.
          Note

          To use customer-managed keys with Autonomous Data Guard and a remote standby database, the following policy is also required:
          Allow dynamic-group <dynamic-group-name> to read vaults in compartment id <your_Compartment_OCID>
        4. Review your information, and then select the Create button.
    6. Modify an Autonomous AI Database to Use OCI Vault as the Key Management Solution
      1. From the OCI console, select Oracle AI Database, and then select Autonomous AI Database.
      2. Select the name field of your Autonomous AI Database.
      3. Select the More actions button and then select the Manage encryption key option.
        1. Choose the Encrypt using a customer-managed key option.
        2. From the Key type dropdown list, select Oracle.
        3. As your Key location, select either the This tenancy or Different tenancy option based on your specific vault configuration.
        4. Select the Compartment where you created the OCI Vault, then select the Vault from the dropdown list.
        5. Select the Compartment where you created the OCI key, then select the Master encryption key from the dropdown list.
        6. Select the Save button to save your configuration settings.
        This screenshot shows how to manage encryption key.
      1. Verify the Database Encryption Method from the OCI Console
        1. From the OCI console, select Oracle AI Database, and then select Autonomous AI Database.
        2. Select the name field of your Autonomous AI Database.
        3. Scroll down to Encryption section. You can verify that the Encryption Key is used to protect your Autonomous AI Database with the Encryption key OCID.
        This screenshot shows how to verify encryption key.
      2. Verify the Database Encryption Method from the AWS Console
        1. From Oracle AI Database@AWS dashboard, select Autonomous AI Databases Serverless, and then select name field of the Autonomous AI Database that you want to verify.
        2. From the central bar, select the Encryption tab and review the following information:
          1. Key type: If the value displayed is OCI Vault Key, your Autonomous AI Database is using OCI Vault as its encryption method.
        This screenshot shows how to verify encryption key.

    Rotate Customer-Managed Encryption Keys for an Autonomous AI Database with OCI Vault

    1. Create a new master encryption key within your OCI Vault. For more information, see Create a Master Encryption Key in the Vault.
    2. From the OCI console, select Oracle AI Database, and then select Autonomous AI Database.
    3. Select the name of your Autonomous AI Database.
    4. Select the More action button, and then select Manage encryption key option.
    5. Select the OCI Vault that contains the key you want to use.
    6. Select a Master Encryption Key that is different from the one currently in use for your Autonomous AI Database instance.
    7. Select the Save button.
    Note

  • There is currently no content for this page. The Oracle AI Database@AWS team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle AI Database@AWS team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • There is currently no content for this page. The Oracle AI Database@AWS team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle AI Database@AWS team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

Learn More

For more information about the key security features, see Security Features in Autonomous AI Database on Dedicated Exadata Infrastructure.