For your Oracle Databases located in the DB systems, you can choose to encrypt the database using your own encryption keys ("customer-managed keys"), or use Oracle-managed encryption keys.
You can perform the following actions.
- Enable customer-managed keys when you create DB systems that use Oracle Database 19.13 or later.
- Rotate your keys to maintain security compliance and, in cases of personnel changes, to disable access to a database.
- Switch from Oracle-managed keys to customer-managed keys on existing databases.
When switching to customer-managed keys, a database (CDB) and its pluggable databases (PDB) must be open, and all tablespaces must be in Read/Write mode.
- Switching from customer-managed keys to Oracle-managed keys is not supported.
Customer-managed keys are stored and managed using the OCI Vault service. Encryption keys are administered at the database (CDB) level in the DB system. This option offers secure key storage using isolated partitions (and also offers a lower-cost shared partition option) in FIPS 140-2 Level 3-certified hardware security modules, and integration with select OCI services. Use customer-managed keys when you need security governance, regulatory compliance, and homogenous encryption of data, while centrally managing, storing, and monitoring the life cycle of the keys you use to protect your data. For more information, see Overview of Vault.
- The encryption key you use must be AES-256.
- To ensure that the database uses the most current versions of the Vault encryption key, rotate the key from the Database Details page on the Console. Do not use the Vault service's Console pages to rotate your Database keys.
- When cloning a DB system that uses customer-managed encryption keys, the cloned database will be configured to use the same key version as the source database.
For more information, see Clone a DB System.
Required IAM Policy
If you want to use your own encryption keys to encrypt a database, then you must create a dynamic group and assign specific policies to the group for customer-managed encryption keys. See Managing Dynamic Groups and Let security admins manage vaults, keys, and secrets topic in Common Policies.
Compatibility with Oracle Data Guard
To enable Data Guard on DB system databases that use customer-managed keys, the primary and standby databases must be in the same region.
For more information on:
- regions and availability domains, see Regions and Availability Domains.
- configuring customer-managed keys when provisioning a DB system, see Create a DB System Using the Console.
- switching your encryption from Oracle-managed keys to customer-managed keys, and for information on rotating a customer-managed key, see Administer Vault Encryption Keys below.
Administer Vault Encryption Keys
This topic explains how to switch database encryption keys from Oracle-managed to customer-managed keys, and how to rotate a customer managed key.
- To ensure that your database uses the most current version of the Vault encryption key, rotate the key from the Database Details page on the Console. Do not use the Vault service's Console to perform this operation.
- You can rotate Vault encryption keys only on databases that are configured with customer-managed keys.
- You can change encryption key management from Oracle-managed keys to customer-managed keys but you cannot change from customer-managed keys to Oracle-managed keys.
- When switching to customer-managed keys, a database (CDB) and its pluggable databases (PDB) must be open, and all tablespaces must be in Read/Write mode.
- Customer-managed keys are supported in DB systems that use Oracle Database 19.13 or later.
- Open the navigation menu. Select Oracle Database, then select Oracle Base Database.
- Select your Compartment. A list of DB systems is displayed.
- In the list of DB systems, click the name of the DB system with the database you want to administer.
- The details of the DB system followed by a list of databases are displayed.
- In the list of databases, click the name of the database for which you want to change encryption management or to rotate a key.
- On the Database details page, click More actions.
- Click Administer encryption key.
- To rotate an encryption key on a database using customer-managed keys:
- Click Rotate encryption key to display a confirmation dialog.
- Click Rotate key.
- To change key management type from Oracle-managed keys to customer-managed keys:
- Click Change key management type.
- Select Use customer-managed keys. - You must have a valid encryption key in OCI Vault service and provide the information in the subsequent steps. See Key and Secret Management Concepts topic in Overview of Vault.
- Choose a vault from the Vault in compartment drop-down. You can change the compartment by clicking the Change compartment link.
- Select an encryption key from the Master encryption key in compartment drop-down. You can change the compartment containing the encryption key you want to use by clicking the Change compartment link.
- If you want to use an encryption key that you import into your vault, then select Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
- The key version will only be assigned to the CDB and not to its PDB. The PDB will be assigned an automatically generated new key version.
- Changing key management causes the database to become briefly unavailable.
- After changing key management to customer-managed keys, do not delete the encryption key from the vault as this can cause the database to become unavailable.
- Click Apply.
On the Database Details page for this database, the Encryption section displays the encryption key name and the encryption key OCID.