Oracle Cloud Infrastructure Documentation

Protect Exascale Database

Learn about various data protection methods available for Oracle Exadata Database Service on Exascale Infrastructure on Oracle AI Database@Google Cloud.

Data in Transit Encryption

Oracle Exadata Database Service on Exascale Infrastructure is protected with encryption of data in transit by default. This ensures that data moving between application and the database is secured from unauthorized interception or tampering. Oracle Net Services supports multiple industry-standard encryption algorithms including AES, DES, 3DES, and RC4 for securing data in transit. It also offers MD5, SHA-1, and SHA-2 hashing algorithms to verify data integrity.

All communication between clients and the database is encrypted using Oracle Net Services (SQL*Net). Two types of connection services are supported:
  1. TCPS (Secure TCP) Connections
    1. Uses TLS 1.2 or TLS 1.3
    2. Requires a downloadable connection wallet
    3. Ensures symmetric encryption via secure handshake using the wallet
    4. TLS 1.3 support is available starting with Oracle AI Database 26ai.
  2. TCP Connections with Native Network Encryption
    • Uses Oracle’s built-in encryption protocol
    • Negotiates encryption during connection (AES-256, AES-192, AES-128)
    • No wallet needed, but connection details (e.g., tnsnames.ora) must be known
By default, Oracle Exadata Database Service on Exascale Infrastructure is configured to enable native Oracle Net Services encryption and integrity. Additionally, Oracle Net Services clients are configured to enable native encryption and integrity when connecting to an appropriately configured server. If your Oracle Net Services client is explicitly configured to reject the use of native encryption and integrity, connection attempts will fail.Native SQL*Net encryption is enabled for all network connections. The following sqlnet.ora parameters are set by default in Oracle Exadata Database Service on Exascale Infrastructure.
  • ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)
  • ENCRYPTION_SERVER = requested
  • CRYPTO_CHECKSUM_SERVER = accepted
  • CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512)
The TCPS protocol is offered for network connections to the database on port 2484 with the wallet configured at /var/opt/oracle/dbaas_acfs/grid/tcps_wallets. The following sqlnet.ora parameters are set by default in Oracle Exadata Database Service on Exascale Infrastructure.
  • SSL_CIPHER_SUITES = (SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

This screenshot shows the database connection.

Encryption at Rest for Oracle AI Database@Google Cloud

Oracle AI Database@Google Cloud supports encryption at rest to safeguard sensitive data residing in database files, backups, and configuration files. This protection is enabled by Transparent Data Encryption (TDE), which ensures that data is encrypted whenever it is written to persistent storage and transparently decrypted when accessed by authorized Oracle processes with no customer configuration is required. The master key encrypts tablespace keys, which in turn encrypt the data.

Transparent Data Encryption (TDE)

Encryption at rest is provided through TDE, a feature included in Oracle Advanced Security. TDE automatically encrypts tablespaces, redo logs, and undo logs, ensuring that all database data is written to disk in encrypted form and transparently decrypted for authorized users and applications. Database backups created using Oracle Recovery Manager (RMAN) or managed backup solutions adopt these encryption settings, protecting all database copies stored on persistent media.

Key Management

TDE uses a master encryption key to protect your tablespaces and columns. For Oracle AI Database@Google Cloud, there are two key management options:
  1. Oracle-managed keys: The master encryption key is automatically generated and stored in an Oracle Wallet, which is secured within the database environment. Oracle handles all key lifecycle tasks, including backups and restores.
  2. Customer-managed keys: You can integrate Oracle Exadata Database Service on Exascale Infrastructure with services like OCI Vault to generate and store the master encryption key outside the database, enabling centralized key control, lifecycle management, rotation, and auditing of key usage events. With customer-managed keys, you control the encryption keys used to protect your data. You can enable customer-managed keys when creating databases, switch from Oracle-managed to customer-managed keys, and rotate keys to meet security and compliance requirements.
Oracle Exadata Database Service on Exascale Infrastructure on Oracle AI Database@Google Cloud offers the following data at rest encryption methods:
  1. Oracle-managed Key (OMK)
    • Oracle Wallet
  2. Customer-managed Key (CMK)
    • OCI Vault
    • Oracle Key Vault (OKV)
    • Google Cloud Key Management Service (Cloud KMS)

  • Oracle-managed Key (OMK) is the default method for securing data encryption in Oracle AI Database@Google Cloud. In Oracle AI Database, data encryption at rest is powered by TDE. When you choose OMK, the database system automatically handles all key management, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed Key on Oracle AI Database@Google Cloud.

    View Encryption Details

    1. From the Oracle AI Database@Google Cloud console, select Oracle Exadata Database Service on Exascale Infrastructure.
    2. From the left menu, select VM Clusters, and then select the name of your Exascale VM Cluster.
    3. Select the Manage in OCI button, which redirects you to the OCI console.
    4. In the OCI console, select the Container databases tab, and then select the database that you want to check the key management.
    5. From the Database information tab, navigate to the Encryption section to view the Encryption key details. By default, the Encryption key is set to Oracle-managed key.
    This screenshot shows key management information.

  • Oracle Exadata Database Service on Exascale Infrastructure in Oracle AI Database@Google Cloud integrates with OCI Vault to provide data encryption using a customer-managed key (CMK). This integration centralizes key storage and management, significantly simplifying your overall key lifecycle.

    1. Create an Oracle Cloud Infrastructure Vault (OCI Vault)

      For more information, see Create an Oracle Cloud Infrastructure Vault.

    2. Create a Master Encryption Key in the Vault

      For more information, see Create a Master Encryption Key in the Vault.

    3. Create an OCI Dynamic Group
      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Exascale Infrastructure.
      2. From the left menu, select VM Clusters, and then select the name of the Exascale VM Cluster.
      3. Select the VM Cluster information tab, scroll down to the General information section. Take a note of your Exascale VM Cluster Compartment information.This screenshot shows how to obtain your compartment information.
      4. From the navigation menu , select Identity & Security, and then select Compartments.
      5. From the Compartments list, navigate to your compartment which you previously created and copy the OCID information.This screenshot shows how to obtain your OCID information.
      6. From the navigation menu , select Identity & Security, and then select Domains.
      7. From the Applied filters section, select the Root Compartment and then choose the name of you domain.This screenshot shows how to navigate to your domain.
      8. Select the Dynamic groups tab, and then select the Create dynamic group button.
        1. Name: Enter a descriptive name for the group.
        2. Description: Provide a brief description of the dynamic group’s purpose.
        3. Matching Rules: Enter the following statement, replacing <your_Compartment_OCID> with the compartment OCID you noted in the previous step:
          ALL {resource.compartment.id = '<your_Compartment_OCID>'}
        4. Review your information, and then select the Create button.
        This screenshot shows how to create dynamic group.
    4. Create an OCI Policy
      1. From the navigation menu , select Identity & Security, and then select Policies.
      2. In the Applied Filter section, select the Root Compartment, and then select the Create Policy button.
        1. Name: Enter a descriptive name for the group.
        2. Description: Provide a brief description of the dynamic group’s purpose.
        3. Enable the Show manual editor button, and then enter the following statements. Replace <dynamic-group-name> with the name of the dynamic group created in the previous step, and <your_Compartment_OCID> with your specific compartment OCID:
          
Allow dynamic-group <dynamic-group-name> to manage vaults in compartment id <your_Compartment_OCID>
Allow dynamic-group <dynamic-group-name> to manage keys in compartment id <your_Compartment_OCID>
        4. Review your information and then select the Create button.
      This screenshot shows how to create a policy.
    5. Create a Database and Use OCI Vault as the Key Management Solution
      1. Create an Exascale VM Cluster and Exascale Database. See Exascale VM Cluster and Exascale Database for step-by-step instructions.
      2. Expand the Advanced Options section. Within the Encryption section, select the Use customer-managed keys option. When the confirmation message appears, select the Yes, enable customer-managed keys button to proceed.This screenshot shows how to create a container database.
      3. Select the Compartment where you created your OCI Vault, and then select OCI Vault from the dropdown list.
      4. Select the Compartment where you created the OCI key, then select the Key from the dropdown list.
      5. Review your information and then select the Create button.
      This screenshot shows how to create a container database.
    6. Modify the Key Management from Oracle Wallet to OCI Vault

      To update key management from Oracle Wallet to OCI Vault, complete the following steps:

      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Exascale Infrastructure.
      2. From the left menu, select VM Clusters, and then select your Exascale VM Cluster that you wish to modify.
      3. From your VM cluster information, navigate to the Container databases tab, and then select the name field of the database you wish to modify.
      4. From the Encryption section, confirm that Key management is set to Oracle-managed key, and then select the Change button.
      5. From the Change key management page, enter the following information:
        1. Select your Key management as OCI Vault from the dropdown list.
        2. Select the Compartment where you created your OCI Vault, and then select the OCI Vault from the Vault dropdown list.
        3. Select the Compartment where you created your OCI key, and then select the OCI key from the Master encryption key dropdown list.
        4. Select the Save changes button.
      This screenshot shows how to change key management.
    7. Verify the Database Encryption Method
      1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Exascale Infrastructure.
      2. From the left menu, select VM Clusters, and then select your Exascale VM Cluster that you wish to modify.
      3. Select the Container databases tab, and then select the name of the database that you wish to validate.
      4. Scroll down to the Encryption section. In this section, you can confirm that Encryption Key is set to Customer-managed key and view the Encryption Key OCID of the OCI key in use.
      This screenshot shows how to verify the database encryption method.

    Rotate the OCI Vault Key for a Container Database (CDB)

    1. From the OCI console, select Oracle AI Database, and then select Oracle Exadata Database Service on Exascale Infrastructure.
    2. From the left menu, select VM Clusters, and then select your Exascale VM Cluster that you want to rotate encryption keys.
    3. Select the Container databases tab, and then select the name of the database that you want to rotate encryption keys.
    4. From the Encryption section, verify that the Encryption Key is set to Customer-managed key.
    5. Select the Action menu( three dots) and then select the Rotate option.
    6. Select the Confirm button to save the changes.
    This screenshot shows how to rotate key.

  • There is currently no content for this page. The Oracle AI Database@Google Cloud team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle AI Database@Google Cloud team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • Oracle Exadata Database Service on Exascale Infrastructure integration with Google Cloud Key Management Service (KMS) is currently not supported. Once this capability becomes available, the Oracle AI Database@Google Cloud team will update this section with the guidance.