Manage Encryption Keys

Oracle Base Database encrypts data stored in tables and tablespaces using Transparent Data Encryption (TDE). This article provides details about encryption and encryption keys.

Required IAM Policy

If you want to use your own encryption keys to encrypt a database, then you must create a dynamic group and assign specific policies to the group for customer-managed encryption keys. See Managing Dynamic Groups and Let security admins manage vaults, keys, and secrets topic in Common Policies.

General Information

Transparent Data Encryption
The Base Database uses TDE to encrypt and decrypt all user-created tablespaces.
Encryption Keys
You can choose to encrypt the database using your own encryption keys ("customer-managed keys") or use Oracle-managed keys. By default, Base Database uses Oracle-managed keys. The customer-managed key is stored in the OCI Vault, which is external to the database host.
OCI Vault Key
In the OCI Vault, the Encryption keys are logical entities that contain one or more key versions that are used for encryption and decryption. These key versions can be auto-generated by OCI Vault or imported from an external source (Bring-Your-Own-Key).

For more information, see Introduction to Transparent Data Encryption and OCI Vault Key Management.

Note

Currently, this feature is available on the OCI Console and API. Support for this feature on OCI CLI, SDK, and Terraform will be released soon.

Rotate Encryption Key

The rotate key operation generates a new key version for the same key.

You can perform any number of key rotations. Periodically rotating keys limits the amount of data encrypted or signed by one key version. The history of retired keys is also maintained, which enables you to rotate the key and still be able to decrypt data that was encrypted by an earlier key.

The rotate key at CDB and PDB levels works independently of each other. The rotate key operation on a CDB will not rotate keys in the PDBs. Similarly, rotating keys in one PDB will not rotate keys in other PDBs or its CDB.

The database will stop and restart during the rotate key operation.

To ensure using the latest version, rotate keys from the Database Details page on the Console instead of the Vault service's Console page.

Assign Key Version

You can create and assign new key versions for both CDB and PDB. Only the key version can be changed; the key cannot be changed.

Change Key Management

You can switch from Oracle-managed keys to customer-managed keys on existing databases. However, switching from customer-managed keys to Oracle-managed keys is not supported.

When a key is changed for CDB, it is also automatically applied to PDB. The key of a PDB cannot be changed independently. The PDB will always use the same key as that of the CDB, but they can use the same or a different key version.

When switching to customer-managed keys, the CDB and all its PDBs must be open, and all tablespaces must be in read/write mode.

Create a DB System

While creating a new DB system, a key will be assigned to both the CDB and PDB.

The key version, if provided, will only be used for the CDB and not for its PDB. The PDB will be assigned an automatically generated new key version. Specific key versions cannot be assigned to the PDBs during creation.

The PDB will always use the same key as the CDB, but with the same or a different key version.

You can specify any key version, including the latest version of the selected key.

By default, the database is configured using Oracle-managed keys. However, you can choose to configure it using customer-managed keys.

Clone, Remote Clone, and Relocate PDB

The cloned database will use the same key version as the source database when cloning a DB system that uses customer-managed encryption keys.

The source and target databases must use the same key but can have a different key version. The remote cloning or relocating operation fails if the source and target databases use different keys.

The keys are rotated in the target key vault after remote cloning and relocation operations.So new key versions will be generated for the remote cloned or relocated PDB in the target database.