Configuring Bring Your Own Key on Oracle Cloud Infrastructure Legacy and Oracle Public Cloud
A unique pair of transportation keys, one public, and another private, are generated by Oracle for every transfer of the TDE master key from you to us. The public key of the transportation key pair is available in Infrastructure Classic Console or Applications Console. You can use this public key to encrypt a new TDE master encryption key and upload it using the Manage TDE Key tile in Infrastructure Classic Console or Applications Console.
To generate the random TDE Master Keys, You can use OpenSSL, which has been certified for generating random TDE Master Keys and for encrypting them using the transportation key. You install OpenSSL on Your premises to perform any of the actions on the Manage TDE Key page, which is available from the Infrastructure Classic Console or Applications Console in Your Cloud Account.
TDE Master Key Upload Best Practices
-
Upload or Reset Your First Key with Oracle: You must perform the first key reset or upload along with Oracle. Contact your Oracle representative to schedule this.
-
Review TDE Master Key Ownership & Responsibilities:
- Review the list of service administrators who can perform the key upload or reset operation.
- It is critical that you establish an internal policy for backups and safeguard the TDE master key.
- Maintain an inventory of the keys you have used along with the dates on which they were used. Maintain backups of all keys for the duration specified in the Oracle Backup Retention Policy.
-
Key Lifecycle Operations: Consider the following scheduled events before uploading or resetting your key:
- Make sure other lifecycle operations, such as production to test, upgrade, or patching events, have not been scheduled.
- Make a note of your organization’s peak usage period (for example, time of day, or end of the month/quarter/year).
- DO NOT attempt to initiate a key reset or upload during such events or peak usage periods.
- Always check for published event schedules in Infrastructure Classic Console or Applications Console.
Controlling TDE Keys
To learn more about the service administrator role, see Oracle Cloud User Roles and Privileges.
- Transportation Key: The public key that the you download from Oracle Cloud
- TDE Master Encryption Key: The key that you generate on your premises
- Encrypted Key File: The file which stores the encrypted TDE Master Encryption Key with the Transportation Key
- Download Oracle public key and use it to encrypt your own TDE master encryption key.
- Upload your new TDE master encrypted key.
- Reset your key: You can replace the given key with your own TDE master encryption key. You must use OpenSSL to generate your own key for replacing the existing master encryption key.
- Revoke your key: Delete your TDE master encryption key and shut down the system.
- Restore your key: Restore your key and the system after the revoke operation. You can restore the system only if you provide the exact key that was revoked.
Downloading Oracle Public Key
Generating Your TDE Master Key
After you download the Oracle Public Key, you must use OpenSSL to generate and encrypt your key. This step is performed using the command line on your local Unix-based system. The instructions provided here are for a Linux system.
For Oracle Cloud Infrastructure
Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in Base64 encoded and not in binary format, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.
To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure:
- Set environment variables required for the process.
OPENSSL
location of OpenSSL 1.1.1 or later version installation AES_KEY
path to file to store generated TDE master key WRAPPING_KEY
path to file storing encryption key, also known as the transport key, downloaded following the steps in Downloading Oracle Public Key WRAPPED_KEY
path to file containing encrypted TDE master key BASE64_WRAPPED_KEY
path to file containing wrapped TDE master key in Base64 encoded format - Generate a 32-byte AES symmetric key to be used as your TDE master key.
${OPENSSL} rand 32 > ${AES_KEY}
- Encrypt your own TDE master key.
You encrypt your own generated TDE master key, with RSA-OAEP with SHA-256, using the Oracle Public Transport key that you downloaded from Cloud Console.
${OPENSSL} pkeyutl -encrypt -in ${AES_KEY} -inkey ${WRAPPING_KEY} -pubin -out ${WRAPPED_KEY} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
For example:
openssl pkeyutl -encrypt -in "aes_key.bin" -inkey "publickey.pem" -pubin - out "wrappedkey.bin" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
- Base64 encode the encrypted TDE master key.
The encrypted key must be in Base64 encoded and not in binary format.
cat ${WRAPPED_KEY} | base64 -w 0 > ${BASE64_WRAPPED_KEY}
- Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.
For Oracle Cloud Infrastructure Classic
Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in binary format and not Base64 encoded, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.
To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure Classic:
- Create a new directory for the key and assign it to an environment variable.
$mkdir –p dir_of_key $export KEYPATH dir_of_key
- Make sure the directory is restricted.
$chmod go-rwx $KEYPATH
- Generate a hexadecimal string of 48 bytes to be used as your TDE master key.
The key material must be 48 byte long. The first 16-byte is used as an identifier and the remaining 32-byte is used as the TDE master key. This 48-byte string must be converted to a 96-character-long hexadecimal string.
$openssl rand 48 | xxd -l 48 -c 256 -p > $KEYPATH/clearkey
- Determine the checksum of your TDE master key from step 3.
The checksum is required when you reset or restore key.
$sha256sum –t $KEYPATH/clearkey | awk ‘{print $1}’
- Encrypt your own TDE master key.
You encrypt your own generated TDE master key, with RSA padding mode PKCS#1 v1.5, using the Oracle Public Transport key that you downloaded following the steps in Downloading Oracle Public Key. A new transport key must be downloaded for each key reset operation. The encrypted key from running the following command will be in binary format and must be uploaded in this format. If an openssl alternative is used, then make sure the output of the alternative tool is in binary and not in base64 or other encodings.
$openssl rsautl -pubin -inkey $KEYPATH/OraclePublicTransportKey.pub –in $KEYPATH/clearkey –out customerKey_encrypted.txt –encrypt
- Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.
Resetting TDE Master Encryption Key
Note:
Make a copy of your key and keep it safely. If you have any old keys (history), you must keep them safe as well. This is required during restoration of backups. When restoring your backup, you must provide the corresponding key that was used for the backup to Oracle. If you lose your old keys, the corresponding backup can’t be restored.
Revoking Your TDE Master Encryption Key
Note:
Make a copy of the revoked key and keep it safe. You must provide the exact key that you revoked when restoring access to data. If you lose the key, data access will be lost.