Oracle Cloud Infrastructure Documentation

Protect Exadata Database

Learn about various data protection methods available for Oracle Exadata Database Service on Dedicated Infrastructure on Oracle Database@Google Cloud.

Data in Transit Encryption

Oracle Exadata Database Service on Dedicated Infrastructure is protected with encryption of data in transit by default. This ensures that data moving between application and the database is secured from unauthorized interception or tampering. Oracle Net Services supports multiple industry-standard encryption algorithms including AES, DES, 3DES, and RC4 for securing data in transit. It also offers MD5, SHA-1, and SHA-2 hashing algorithms to verify data integrity.

All communication between clients and the database is encrypted using Oracle Net Services (SQL*Net). Two types of connection services are supported:
  1. TCPS (Secure TCP) Connections
    1. Uses TLS 1.2 or TLS 1.3
    2. Requires a downloadable connection wallet
    3. Ensures symmetric encryption via secure handshake using the wallet
    4. TLS 1.3 support is available starting with Oracle AI Database 26ai.
  2. TCP Connections with Native Network Encryption
    • Uses Oracle’s built-in encryption protocol
    • Negotiates encryption during connection (AES-256, AES-192, AES-128)
    • No wallet needed, but connection details (e.g., tnsnames.ora) must be known
By default, Oracle Exadata Database Service on Dedicated Infrastructure is configured to enable native Oracle Net Services encryption and integrity. Additionally, Oracle Net Services clients are configured to enable native encryption and integrity when connecting to an appropriately configured server. If your Oracle Net Services client is explicitly configured to reject the use of native encryption and integrity, connection attempts will fail.Native SQL*Net encryption is enabled for all network connections. The following sqlnet.ora parameters are set by default in Oracle Exadata Database Service on Dedicated Infrastructure.
  • ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)
  • ENCRYPTION_SERVER = requested
  • CRYPTO_CHECKSUM_SERVER = accepted
  • CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512)
The TCPS protocol is offered for network connections to the database on port 2484 with the wallet configured at /var/opt/oracle/dbaas_acfs/grid/tcps_wallets. The following sqlnet.ora parameters are set by default in Oracle Exadata Database Service on Dedicated Infrastructure.
  • SSL_CIPHER_SUITES = (SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

This screenshot shows connection strings.

Encryption at Rest for Oracle Database@Google Cloud

Oracle Database@Google Cloud supports encryption at rest to safeguard sensitive data residing in database files, backups, and configuration files. This protection is enabled by Transparent Data Encryption (TDE), which ensures that data is encrypted whenever it is written to persistent storage and transparently decrypted when accessed by authorized Oracle processes with no customer configuration is required. The master key encrypts tablespace keys, which in turn encrypt the data.

Transparent Data Encryption (TDE)

Encryption at rest is provided through TDE, a feature included in Oracle Advanced Security. TDE automatically encrypts tablespaces, redo logs, and undo logs, ensuring that all database data is written to disk in encrypted form and transparently decrypted for authorized users and applications. Database backups created using Oracle Recovery Manager (RMAN) or managed backup solutions adopt these encryption settings, protecting all database copies stored on persistent media.

Key Management

TDE uses a master encryption key to protect your tablespaces and columns. For Oracle Database@Google Cloud, there are two key management options:
  1. Oracle-managed keys: The master encryption key is automatically generated and stored in an Oracle Wallet, which is secured within the database environment. Oracle handles all key lifecycle tasks, including backups and restores.
  2. Customer-managed keys: You can integrate with services like OCI Vault to generate and store the master encryption key outside the database, enabling centralized key control, lifecycle management, rotation, and auditing of key usage events. With customer-managed keys, you control the encryption keys used to protect your data. You can enable customer-managed keys when creating databases, switch from Oracle-managed to customer-managed keys, and rotate keys to meet security and compliance requirements.
Oracle Exadata Database Service on Dedicated Infrastructure on Oracle Database@Google Cloud offers the following data at rest encryption methods:
  1. Oracle-managed Key (OMK)
    • Oracle Wallet
  2. Customer-managed Key (CMK)
    • OCI Vault
    • Oracle Key Vault (OKV)
    • Google Cloud Key Management Service (Cloud KMS)

  • Oracle-managed Key (OMK) is the default method for securing data encryption in Oracle Database@Google Cloud. In Oracle Database, data encryption at rest is powered by TDE. When you choose OMK, the database system automatically handles all key management, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed Key on Oracle Database@Google Cloud.

    View Encryption Details

    1. From the Oracle Database@Google Cloud console, select Dedicated Infrastructure, and then select the name of your Exadata VM Cluster.
    2. Select the Manage in OCI button, which redirects you to the OCI console.
    3. In the OCI console, select the Databases tab, and then select the database that you want to check the key management.
    4. From the Database information tab, navigate to the Encryption section to view the Key management details. By default, the Key management is set to Oracle Wallet.
    This screenshot shows key management information.

  • There is currently no content for this page. The Oracle Database@Google Cloud team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle Database@Google Cloud team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • There is currently no content for this page. The Oracle Database@Google Cloud team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle Database@Google Cloud team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • Oracle Exadata Database Service on Dedicated Infrastructure now supports integration with Google Cloud's Key Management Service (KMS). This capability allows you to manage Transparent Data Encryption (TDE) master encryption keys (MEKs) using GCP Customer-Managed Keys (CMKs).

    For Oracle Exadata Database Service on Dedicated Infrastructure, TDEmaster encryption keys can be stored in a file-based Oracle Wallet, Oracle Cloud Infrastructure (OCI) Vault, Oracle Key Vault (OKV), or Google KMS, providing options to align with organization-specific security policies. Integration with Google KMS enables applications, Google services, and databases on Exadata VM Cluster (s) to leverage a single centralized key management solution.

    To configure Google Cloud KMS to encrypt your database, complete the following steps:

    1. Create an Exadata VM Cluster

      See Exadata VM Cluster for step-by-step instructions.

    2. Review the Identity Connector State
      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
      2. From the left menu, select Exadata VM Clusters, and then select the name of the Exadata VM Cluster.
      3. Select the VM Cluster information tab, scroll down to the Multicloud Information section. Confirm that the Identity connector field is populated.
      4. Select the Identity connector name, confirm the status is Active.
      This screenshot shows the identity connector information.
    3. Create an IAM Policy for Accessing GCP Key Resources

      The database uses the cluster resource principal to securely retrieve GCP key resources. To enable this functionality, you must define the appropriate IAM policies in your OCI tenancy.

      To create the IAM Policy follow the steps below:

      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
      2. From the left menu, select Exadata VM Clusters, and then select the name of the Exadata VM Cluster.
      3. Select the VM Cluster information tab, scroll down to the General information section. Take a note of the VM Cluster compartment information.This screenshot shows how to obtain the compartment information.
      4. From the Navigation menu , select Identity & Security, and then select Compartments.
      5. Select the Compartment that you noted in the step 3c and take a note of the compartment OCID.This screenshot shows how to obtain the OCID information.
      6. From the Navigation menu , select Identity & Security and then select Compartments. Select the Create Policy button and then complete the substeps:
        1. Enter a policy Name.
        2. Select the root compartment.
        3. Select the show manual editor button, and copy and paste the following policy.
          Allow any-user to read oracle-db-gcp-keys in compartment id <your-compartment-OCID> where all { request.principal.type = 'cloudvmcluster'}

          Replace the <your-compartment-OCID> with the compartment OCID copied in the step 3e.

        4. Select the Create button.

        This policy grants read-only access to Google Cloud key resources for the VM cluster resource principal.

      Note

      Google Cloud VPCs typically include default routes to the services listed below. Ensure that no firewall egress rules block access to these endpoints.
      • https://iamcredentials.googleapis.com/
      • https://sts.googleapis.com/
      • https://cloudkms.googleapis.com/
    4. Create a Key Ring in Google Cloud KMS

      See Create Key Ring in Google Cloud KMS in the CMK - Cloud KMS tab for step-by-step instructions.

    5. Create a Key in Google Cloud KMS
      1. From the Google Cloud Console, select Key Management.
      2. From the Key rings list, select the key ring name created in the previous step.
      3. Select the + Create key button.
      4. In the Create key page, enter the following information:
        1. Key name: Enter a descriptive name for your key. Names can only contain letters, numbers, underscores (_), and hyphens (-)
        2. Protection level: Choose either the Software or HSM (Hardware Security Module) option.
          Note

          The protection level of a key can't be changed after the key is created. For more information, see Protection levels.
        3. Select the Continue button.
        4. Key material: Select Generated key or Imported key, and then select the Continue button.
          Note

          Generate key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed keys (CMK).
        5. Purpose and Algorithm: Select the Purpose as Raw encryption/decryption and For Algorithm, select 256 bit AES-256-CBC key.
          Note

          You must select AES-256-CBC as the Algorithm Type. Otherwise, the key will not appear during the database creation or modification process.
        6. Versions: Based on your requirements, select your Key rotation period and Starting on. Select the Continue button.
        7. Additional settings: This section is optional. By default, Duration of 'scheduled destruction' state is set to 30 days.
      5. Select the Create button to create a key.This screenshot shows how to create a key.
      Note

      Cross-region Data Guard and restoring databases to a different region are currently not supported for databases that use Google Cloud KMS as customer-managed keys for key management.
    6. Create a Google Cloud Role with the Required Permissions
      1. From the Google Cloud console, select Roles.
      2. Select the Create Role button.
      3. Provide a Title, Description, ID, and Role launch stage for the role, and then select the Add Permissions button.
      4. Select the permissions you want to include in the role and select the Add Permissions button. Use the All Services and All Types dropdown lists to filter and select permissions by services and types.
      5. Select the Create button.This screenshot shows how to create rolw.
      Note

      To allow a key to be discoverable in OCI, you must assign the necessary permission to the principal and use a custom role to achieve this.

      Minimum Required Permissions:

      • cloudkms.cryptoKeyVersions.get

        Allows retrieval of metadata for a specific key version.

      • cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

        Enables management of raw AES-CBC key material (import, rotation, etc.).

      • cloudkms.cryptoKeyVersions.create

        Allows creation of new key versions within a key.

      • cloudkms.cryptoKeyVersions.list

        Lists all versions of a given key.

      • cloudkms.cryptoKeyVersions.useToDecrypt

        Grants permission to use a key version for decrypting data.

      • cloudkms.cryptoKeyVersions.useToEncrypt

        Grants permission to use a key version for encrypting data.

      • cloudkms.cryptoKeys.get

        Allows retrieval of metadata for a key.

      • cloudkms.cryptoKeys.list

        Lists all keys within a key ring.

      • cloudkms.keyRings.get

        Allows retrieval of metadata for a key ring.

      • cloudkms.locations.get

        Retrieves information about supported key locations.

      • cloudkms.keyRings.list

        Allows listing all key rings within a project.

      These permissions enable OCI to:
      • Discover KMS resources like key rings and keys.
      • Access metadata about keys and their versions.
      • Use the keys for cryptographic operations (encryption/decryption).
      • Create key versions.
    7. Identify the Principal Associated with VM Cluster Service Account
      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
      2. From the left menu, select Exadata VM Clusters, and then select the name of the Exadata VM Cluster.
      3. Select the VM Cluster information tab, scroll down to the Multicloud Information section, confirm that the Identity connector field displays the identity connector attached to this VM cluster.
      4. Select the Identity connector name to review the Identity connector information.
      5. Navigate to the GCP information section to view the Service account information. Take a note of the Service account information. This screenshot shows how to obtain the service account information.
    8. Grant Permissions in Google Cloud KMS for Key Discovery in OCI
      1. From the Google Cloud console, select Key management, then select the check box of Key Ring that contains the key you want to make it discoverable.
      2. Select the Add Principal button.
      3. Paste the Service account information that you previously copied in the step 7e, and then assign the custom role that you created in the step 6.
      4. Select the Save button.This screenshot shows how to grant access.
      5. From the Google Cloud console, select Key management, select the key you want to make it discoverable
      6. Select the Name field of the Key ring that contains the key that you want to use, then select the Name field of the Key that you want to use.
      7. Navigate to the Permissions tab, then select the Grant access button.
        1. In the Add principal field, enter the principal value found in previous steps.
        2. In the Assign Roles section, assign the custom role created in the previous step.
        This screenshot shows how to assign roles.
      8. Select the Save button.This screenshot shows how to assign roles.
    9. Register GCP Key Ring in OCI

      To enable Google KMS for your Exadata VM Cluster, you must first register the Google key Ring in the OCI console.

      1. From the OCI console, select Oracle AI Database, and then select Database Multicloud Integrations.
      2. After selecting Database Multicloud Integrations, the default page opens.
      3. From the left menu, select the Previous button to navigate to Google Cloud Integration, and then select GCP Key Rings.
      4. Select the Register GCP key rings button, and then complete the following substeps:
        1. From the dropdown list, select the Compartment in which your Exadata VM Cluster resides.
        2. Select your identity connector from the dropdown list.
        3. The Key Ring Name field is optional.
        4. Select the Discover button.
      5. Once the key is discovered, select the Register button to register the key in OCI.This screenshot shows how to register key in OCI.
      Note

      Only key rings can be registered, not individual keys. All supported keys associated with a registered key ring will be available, provided the required permissions are in place
    10. Enable Google Cloud Key Management
      Note

      When you provision an Exadata VM Cluster, GCP Customer Managed Key is disabled by default.
      1. From the OCI console, select Oracle AI Database and then select Oracle Exadata Database Service on Dedicated Infrastructure.
      2. From the left menu, select Exadata VM Clusters, and then select your Exadata VM Cluster.
      3. Select the VM Cluster information tab, and select the Enable button next to GCP Customer Managed Key. A confirmation message will be displayed, and then select the Enable button to confirm.This screenshot shows how to enable GCP CMK.
      Note

      If you do not want use GCP Customer Managed Key, you can disable it by selecting the Disable button. This action will disable GCP Customer Managed Key at the VM Cluster level. Disabling it will impact the availability of the databases using GCP Customer Managed Key. Ensure that no database is currently using GCP Customer Managed Key.
    11. Create a Database and Use GCP Customer-Managed Key (CMK) as the Key Management Solution
      1. Complete the following steps described in the Exadata Database documentation to create an Exadata Database.
      2. Navigate to the Encryption section which provides two options. These options include Oracle Wallet and GCP Customer Managed Encryption Key.
      3. Select the GCP Customer Managed Encryption Key option as the key management. Select the Compartment and the Key Ring from the dropdown list, then select the Key from the dropdown list.This screenshot shows how to create a dataabase and use GCP CMK.
      4. Review your information, and then select the Create button.
    12. Modify the Key Management from Oracle Wallet to GCP Customer Managed Key (CMK)

      To update key management from Oracle Wallet to GCP Customer Managed Key, complete the following steps:

      1. From your Exadata VM Clusters, navigate to Databases tab, and then select the database that you are using.
      2. From the Encryption section, confirm that Key management is set to Oracle Wallet, and then select the Change button.
      3. From the Change key management page, enter the following information.
        1. Select your Key management as GCP Customer Managed Encryption Key from the dropdown list.
        2. Select the key compartment you are using, and select your key ring from the dropdown list, then select the key from the dropdown list.
        3. Select the Save changes button.
        This screenshot shows how to change the key management.

    GCP Customer Managed Key allows you to rotate the key at both Container Database (CDB) and Pluggable Database (PDB) levels to meet your security compliance requirements. Complete the following steps to rotate the key:

    Rotate the GCP Customer Managed Key of a Container Database (CDB)

    1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
    2. From the left menu, select Exadata VM Clusters, and then select your Exadata VM Cluster that you want to rotate encryption keys.
    3. Select the Databases tab, and then select the name of the database that you want to rotate encryption keys.
    4. From the Encryption section, verify that the Key Management is set to GCP Customer Managed Encryption Key, and then select the Rotate button.
    5. Select the Confirm button to save the changes.
    This screenshot shows how to rotate key.

    Rotate the GCP Customer Managed Key of a Pluggable Database (PDB)

    1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
    2. Select your Exadata VM Cluster, and then select Databases tab.
    3. Select the Name field of your database you are using, then select Pluggable Databases link under the Resources section.
    4. Select the Name field of the Pluggable Database you want to use.
    5. The Encryption section displays that the Key Management is set as GCP Customer Managed Encryption Key. Select the Rotate button, and then select the Confirm button to save the changes.
    This screenshot shows how to rotate key.