Prerequisites
Before configuring your Oracle Database@Google Cloud environment, you need to understand the prerequisites for your chosen encryption method.
- Oracle-managed Key (OMK)
- Oracle Wallet
- Customer-managed Key (CMK)
- OCI Vault
- Oracle Key Vault (OKV)
- Google Cloud Key Management Service (Cloud KMS)
This section explains the required prerequisites to configure your Oracle Database@Google Cloud.
Oracle-managed keys are the default method for securing data encryption in Oracle Database@Google Cloud. In Oracle AI Database, data encryption at rest is managed by Transparent Data Encryption. When you use Oracle-managed keys, the database system automatically handles all key management tasks, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed keys with Oracle Database@Google Cloud.
There is currently no content for this page. The Oracle Database@Google Cloud team intends to add content here, and this placeholder text is provided until that text is added.
The Oracle Database@Google Cloud team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.
There is currently no content for this page. The Oracle Database@Google Cloud team intends to add content here, and this placeholder text is provided until that text is added.
The Oracle Database@Google Cloud team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.
Oracle Database@Google Cloud now supports integration with Google Cloud's Key Management Service (KMS). This capability allows you to manage Transparent Data Encryption (TDE) master encryption keys (MEKs) using GCP Customer-Managed Keys (CMKs). Previously, TDE master encryption keys can only be stored in a file-based Oracle Wallet, Oracle Cloud Infrastructure (OCI) Vault, or Oracle Key Vault (OKV).
With this update, you can now store and manage CMKs directly in GCP KMS, providing improved key lifecycle control and alignment with your organization’s security policies. To configure GCP KMS to encrypt your database, complete the following prerequisite steps.
Create a Key Ring in Google Cloud KMS- From the Google Cloud console, select Key Management.
- Select the Create key ring button.
- Enter a descriptive Key ring name. Names can only contain letters, numbers, underscores (_), and hyphens (-).
- Choose your Location type.
- Region: It allows you to select a specific region.
- Multi-region: It allows you to select a multi-region such as global.
Note
- Key rings with the same name can exist in different locations, so you must always specify the location.
- Choose a location close to the resources you want to protect.
- For Customer Managed Encryption Keys, ensure the key ring is in the same location as the resources that will use it.
Choosing a location for your Key Ring:
When creating a key ring in Google Cloud Key Management Service (KMS), selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.
- Region:
- Data is stored in a specific geographic region.
- Keys remain within the boundaries of this single region.
- Ideal for:
- Low-latency applications
- Compliance with data residency requirements
- Region-specific workloads
- Multi-region:
- Data is replicated across multiple regions within a larger geographical area.
- Google manages distribution and replication automatically.
- You cannot select individual data centers or regions.
- Ideal for:
- High availability
- Resilient, fault-tolerant applications
- Services serving a wide regional area
- Global:
- A special type of multi-region.
- Keys are distributed across Google data centers worldwide.
- Location selection and control are not available.
- Ideal for:
- Applications with global users
- Use cases needing maximum redundancy and reach
- Select the Create button to create key ring.
