Database Encryption Keys

For your Oracle Databases located in virtual machine DB systems, you can choose to encrypt the database using your own encryption keys ("customer-managed keys"), or use Oracle-managed encryption keys.

Note

This topic discusses the customer-managed keys option. Customer-managed keys are not supported for bare metal DB systems.

You can perform the following actions.

  • Enable customer-managed keys when you create OCI virtual machine DB system databases that use Oracle Database 19.13 or later.
  • Rotate your keys to maintain security compliance and, in cases of personnel changes, to disable access to a database.
  • Switch from Oracle-managed keys to customer-managed keys on existing databases. Note that when switching to customer-managed keys, a database (CDB) and its pluggable databases (PDBs) must be open, and all tablespaces must be in Read/Write mode. Switching from customer-managed keys to Oracle-managed keys is not supported.

Customer-managed keys are stored and managed using the OCI Vault service. Encryption keys are administered at the database (CDB) level in your DB system. This option offers secure key storage using isolated partitions (and also offers a lower-cost shared partition option) in FIPS 140-2 Level 3-certified hardware security modules, and integration with select OCI services. Use customer-managed keys when you need security governance, regulatory compliance, and homogenous encryption of data, while centrally managing, storing, and monitoring the life cycle of the keys you use to protect your data. For more information, see Overview of Vault.

Note

  • The encryption key you use must be AES-256.
  • To ensure that your virtual machine database uses the most current versions of the Vault encryption key, rotate the key from the Database Details page on the Console. Do not use the Vault service's Console pages to rotate your Database keys.
  • When cloning a virtual machine DB system that uses customer-managed encryption keys, the cloned database will be configured to use the same key version as the source database. For more information on cloning a virtual machine DB system, see Clone a DB System.

Required IAM Policy

If you want to use your own encryption keys to encrypt a database, then you must create a dynamic group and assign specific policies to the group for customer-managed encryption keys. See Managing Dynamic Groups and Let security admins manage vaults, keys, and secrets topic in Common Policies.

Compatibility with Oracle Data Guard

To enable Data Guard on DB system databases that use customer-managed keys, the primary and standby databases must be in the same region. For more information on regions and availability domains, see Regions and Availability Domains.

Note

  • For information on configuring customer-managed keys when provisioning a DB system or a new database, see Create a DB System Using the Console and Create a Database.
  • For information on switching your encryption from Oracle-managed keys to customer-managed keys, and for information on rotating a customer-managed key, see the Administer Vault Encryption Keys section below..

Administer Vault Encryption Keys

This topic explains how to switch database encryption keys from Oracle-managed to customer-managed keys, and how to rotate a customer managed key.

Note

  • To ensure that your database uses the most current version of the Vault encryption key, rotate the key from the database's Details page on the Oracle Cloud Infrastructure Console. Do not use the Vault service to perform this operation.
  • You can rotate Vault encryption keys only on databases that are configured with customer-managed keys.
  • You can change encryption key management from Oracle-managed keys to customer-managed keys but you cannot change from customer-managed keys to Oracle-managed keys. Note that when switching to customer-managed keys, a database (CDB) and its pluggable databases (PDBs) must be open, and all the tablespaces must be in Read/Write mode.
  • Customer-managed keys are supported in virtual machine DB systems for databases using Oracle 19.13 or later.

Procedure

  1. Open the navigation menu. Select Oracle Database, then select Oracle Base Database.
  2. Choose your Compartment. A list of DB systems is displayed.
  3. In the list of DB systems, click the name of the DB system with the database you want to administer.
  4. The details of the DB system followed by a list of databases are displayed.
  5. In the list of databases, click the name of the database for which you want to change encryption management or to rotate a key.
  6. On the Database details page, click More actions.
  7. Click Administer encryption key.
  8. To rotate an encryption key on a database using customer-managed keys:
    1. Click Rotate encryption key to display a confirmation dialog.
    2. Click Rotate key.
  9. To change key management type from Oracle-managed keys to customer-managed keys:
    1. Click Change key management type.
    2. Select Use customer-managed keys. - You must have a valid encryption key in OCI Vault service and provide the information in the subsequent steps. See Key and Secret Management Concepts topic in Overview of Vault.
    3. Choose a vault from the Vault in compartment drop-down. You can change the compartment by clicking the Change compartment link.
    4. Select an encryption key from the Master encryption key in compartment drop-down. You can change the compartment containing the encryption key you want to use by clicking the Change compartment link.
    5. If you want to use an encryption key that you import into your vault, then select Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
    Note

    • Changing key management causes the database to become briefly unavailable.
    • After changing key management to customer-managed keys, do not delete the encryption key from the vault as this can cause the database to become unavailable.
  10. Click Apply.

On the Details page for this database, the Encryption section displays the encryption key name and the encryption key OCID.