Configuring Bring Your Own Key on Oracle Cloud Infrastructure Fusion Applications Environment Management
Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure the data stored at rest in your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.
Best Practices for Setting Up and Managing Vaults and Keys
It is a best practice to create separate vaults for production and non-production environments. Within the non-production vault, create separate keys for your test and development environments. For example, you might create the following:
Environment | Vault | Master encryption key |
---|---|---|
Production | my-production-vault | my-production-key |
Test |
my-nonproduction-vault |
my-test-environment-key |
Development | my-development-environment-key |
Benefits of separate vaults for production and non-production:
- Maintaining separate vaults allows for independent rotation of keys for production and non-production environments.
- There is limit to the number of keys per vault. Having separate vaults provides a separate count for production and non-production.
Important
Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, therefore frequent P2Ts will reduce the number of remaining key versions more quickly in a vault.You can verify your key limits and usage by viewing the Limits, Quotas and Usage page where your resource limits, quotas, and usage for the specific region are displayed, broken out by service:
- In the Console, open the navigation menu and click Governance & Administration. Under Tenancy Management, click Limits, Quotas and Usage.
- From the Service list, select Key Management.
Verify the key limits for: Key Version Count for Virtual Vaults or Software Key Version Count for Virtual Vaults, as appropriate for the key type you chose to use.
Setting Up Customer-Managed Keys
Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure your production and non-production environments. You can set up keys on your environment either during environment creation, or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.
Overview of Setup Tasks and Roles
Managing customer-managed keys involves tasks that need to be performed by different roles in Your organization. Here is a summary of the roles and tasks performed by each:
Role | Set up tasks | Maintenance tasks |
---|---|---|
Tenancy Administrator |
|
|
Security Administrator |
|
|
Fusion Applications Administrator |
|
|
Setup Tasks for the Tenancy Administrator
Setup Tasks for the Security Administrator
The security administrator sets up the vaults and keys and gives the information to the Fusion Applications administrator to add them to the environment.
Setup Tasks for the Fusion Applications Administrator
Prerequisites:
- The subscription has been added to the environment family. If the subscription has not been added, You won't see the option to choose customer-managed key.
- The security administrator has created the vault and key.
- The tenancy administrator has set up the system policy to enable customer-managed keys in your tenancy.
- The tenancy administrator has created a policy for the Fusion Applications Administrator to read vaults and keys and associate them to Fusion Applications environments.
Adding Customer-Managed Keys During Environment Creation
After you complete all the steps to set up the environment, it begins the provisioning process. Setting up the encryption adds time to the provisioning process. While the key is being enabled, you'll see a message alerting you that the environment is unavailable.
Adding Customer-Managed Keys During Environment Creation
Caution:
When you enabled a customer-managed key on an existing environment the encryption is not performed immediately. The encryption with the new key is performed during the next scheduled maintenance cycle. After you have added the key, you must contact support to change the scheduled encryption. Until the maintenance cycle, the environment will continue to be encrypted by the Oracle-managed key.To enable customer-managed keys for an existing environment:
The message at the bottom of the window displays when the encryption is scheduled to occur. The encryption is performed in the next maintenance cycle or patch update. Until the maintenance occurs, the environment remains encrypted by the Oracle-managed key.
Rotating Keys
You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the vault service Console UI. See Key and Secret Management Concepts for more details on key versions.
Before you can rotate a key, the following conditions must be met:
- The environment Lifecycle state must be Active and the Health status must be Available.
- You must not have met the limit of key versions available for the vault. Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, so frequent P2Ts will also reduce the number of remaining key versions in a vault.
What to expect during key rotation:
- There is no downtime, and the Health status of the environment remains as Available.
- A banner message on the environment details page is displayed to alert You that rotation is in progress.
- The Key status shows as Rotation in progress.
To Verify Key Rotation
After you rotate a key, you can verify the rotation in the environment details page:
- Navigate to the environment: On the Applications tab of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then click the environment name.
- On the Environment details page, click the Security tab.
- The details of the key are displayed.
- Click the Key version to expand it and verify that it corresponds to the version in the vault service.
Disabling and Enabling Keys
If you encounter a situation in which you want to shut down Fusion Applications and access to the Fusion database, your security administrator can disable the key to immediately force all users out of the system.
WARNING:
Disabling a key may result in loss of data. If the key is disabled, Fusion Applications as a Service will proactively try to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment cannot be restarted until it is enabled again. While the key remains in a disabled state, no Fusion Applications cloud service will be able to access any previously saved customer data.What to expect when You disable a key:
- The Health status of the environment is updated to Unvailable. The Lifecycle state is updated to Disabled. All users are forced out of the application.
- A banner message on the environment details page is displayed to alert you that the encryption has been disabled.
- The Key status shows as Disabled.
Deleting Keys
The permissions granted to the security administrator role do not include delete for keys and vaults. The deletion of keys and vaults is a highly destructive operation and should be performed only by the tenancy administrator in rare circumstances.
When a tenancy administrator deletes a key, any data or any OCI resource (including Your Fusion Applications database) that is encrypted by this key will be unusable or irretrievable immediately.
We strongly recommend that you back up a key before you schedule the key for deletion. With a backup, you can restore the key and the vault if you want to continue using the key again later.
For more information, see Deleting a Vault Key.