Configuring Bring Your Own Key on Oracle Cloud Infrastructure Legacy and Oracle Public Cloud

A unique pair of transportation keys, one public, and another private, are generated by Oracle for every transfer of the TDE master key from you to us. The public key of the transportation key pair is available in Infrastructure Classic Console or Applications Console. You can use this public key to encrypt a new TDE master encryption key and upload it using the Manage TDE Key tile in Infrastructure Classic Console or Applications Console.

To generate the random TDE Master Keys, You can use OpenSSL, which has been certified for generating random TDE Master Keys and for encrypting them using the transportation key. You install OpenSSL on Your premises to perform any of the actions on the Manage TDE Key page, which is available from the Infrastructure Classic Console or Applications Console in Your Cloud Account.

TDE Master Key Upload Best Practices

Before uploading or resetting your TDE master encryption key, review the following best practices.

Upload or Reset Your First Key with Oracle: You must perform the first key reset or upload along with Oracle. Contact your Oracle representative to schedule this.
Review TDE Master Key Ownership & Responsibilities:
- Review the list of service administrators who can perform the key upload or reset operation.
- It is critical that you establish an internal policy for backups and safeguard the TDE master key.
- Maintain an inventory of the keys you have used along with the dates on which they were used. Maintain backups of all keys for the duration specified in the Oracle Backup Retention Policy.
Key Lifecycle Operations: Consider the following scheduled events before uploading or resetting your key:
- Make sure other lifecycle operations, such as production to test, upgrade, or patching events, have not been scheduled.
- Make a note of your organization’s peak usage period (for example, time of day, or end of the month/quarter/year).
- DO NOT attempt to initiate a key reset or upload during such events or peak usage periods.
- Always check for published event schedules in Infrastructure Classic Console or Applications Console.

Controlling TDE Keys

As a service administrator, you can set up and control keys from Infrastructure Classic Console or Applications Console to secure your data on Oracle Cloud. You can set up keys for Oracle Cloud services such as Oracle HCM Cloud Service, Oracle Sales Cloud Service, or Oracle ERP Cloud Service from the Manage TDE Key page, if enabled for the service.

To learn more about the service administrator role, see Oracle Cloud User Roles and Privileges.

The following elements are involved in data encryption:

Transportation Key: The public key that the you download from Oracle Cloud
TDE Master Encryption Key: The key that you generate on your premises
Encrypted Key File: The file which stores the encrypted TDE Master Encryption Key with the Transportation Key

You can do the following operations from the Manage TDE Key page:

Download Oracle public key and use it to encrypt your own TDE master encryption key.
Upload your new TDE master encrypted key.
Reset your key: You can replace the given key with your own TDE master encryption key. You must use OpenSSL to generate your own key for replacing the existing master encryption key.
Revoke your key: Delete your TDE master encryption key and shut down the system.
Restore your key: Restore your key and the system after the revoke operation. You can restore the system only if you provide the exact key that was revoked.

Downloading Oracle Public Key

You download Oracle public key so you can use it to encrypt your own TDE master encryption key. Then, you can upload your new TDE master encrypted key.

To download Oracle public key:

Sign in to Applications Console or Infrastructure Classic Console.
Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.
In the Cloud Services section, click the Action icon on the service tile to open the Service Details page. The Overview tile is in focus.
Click the Manage TDE Key tile.
Click Download Public Transport Key to download the Oracle public transport key.
Encrypt the key using OpenSSL. Follow the instructions provided on screen to generate and encrypt your own TDE master key.

Generating Your TDE Master Key

After you download the Oracle Public Key, you must use OpenSSL to generate and encrypt your key. This step is performed using the command line on your local Unix-based system. The instructions provided here are for a Linux system.

For Oracle Cloud Infrastructure

Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in Base64 encoded and not in binary format, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.

To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure:

Set environment variables required for the process.

OPENSSL location of OpenSSL 1.1.1 or later version installation

AES_KEY path to file to store generated TDE master key

WRAPPING_KEY path to file storing encryption key, also known as the transport key, downloaded following the steps in Downloading Oracle Public Key

WRAPPED_KEY path to file containing encrypted TDE master key

BASE64_WRAPPED_KEY path to file containing wrapped TDE master key in Base64 encoded format

Generate a 32-byte AES symmetric key to be used as your TDE master key.
${OPENSSL} rand 32 > ${AES_KEY}
Encrypt your own TDE master key.
You encrypt your own generated TDE master key, with RSA-OAEP with SHA-256, using the Oracle Public Transport key that you downloaded from Cloud Console.

${OPENSSL} pkeyutl -encrypt -in ${AES_KEY} -inkey ${WRAPPING_KEY} -pubin -out ${WRAPPED_KEY} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

For example:

openssl pkeyutl -encrypt -in "aes_key.bin" -inkey "publickey.pem" -pubin - out "wrappedkey.bin" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
Base64 encode the encrypted TDE master key.
The encrypted key must be in Base64 encoded and not in binary format.

cat ${WRAPPED_KEY} | base64 -w 0 > ${BASE64_WRAPPED_KEY}
Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.

For Oracle Cloud Infrastructure Classic

Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in binary format and not Base64 encoded, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.

To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure Classic:

Create a new directory for the key and assign it to an environment variable.
```
$mkdir –p dir_of_key
$export KEYPATH dir_of_key
```
Make sure the directory is restricted.
$chmod go-rwx $KEYPATH
Generate a hexadecimal string of 48 bytes to be used as your TDE master key.
The key material must be 48 byte long. The first 16-byte is used as an identifier and the remaining 32-byte is used as the TDE master key. This 48-byte string must be converted to a 96-character-long hexadecimal string.

$openssl rand 48 | xxd -l 48 -c 256 -p > $KEYPATH/clearkey
Determine the checksum of your TDE master key from step 3.
The checksum is required when you reset or restore key.

$sha256sum –t $KEYPATH/clearkey | awk ‘{print $1}’
Encrypt your own TDE master key.
You encrypt your own generated TDE master key, with RSA padding mode PKCS#1 v1.5, using the Oracle Public Transport key that you downloaded following the steps in Downloading Oracle Public Key. A new transport key must be downloaded for each key reset operation. The encrypted key from running the following command will be in binary format and must be uploaded in this format. If an openssl alternative is used, then make sure the output of the alternative tool is in binary and not in base64 or other encodings.
```
$openssl rsautl -pubin -inkey $KEYPATH/OraclePublicTransportKey.pub –in
$KEYPATH/clearkey –out customerKey_encrypted.txt –encrypt
```
Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.

Resetting TDE Master Encryption Key

After you generate your key and encrypt it, you can replace the given TDE master encryption key with the key you generated. You must follow the instructions to generate your own key. If not, the reset key operation will fail.

See Generating Your TDE Master Key.

To reset the given key:

Sign in to Applications Console or Infrastructure Classic Console.
Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.
In the Cloud Services section, click the Action icon on the service tile and select View Details to open the Service Details page. The Overview tile is in focus.
Click the Manage TDE Key tile.
Click Choose operation and select Reset TDE Master Key.
Click Browse and select your encrypted TDE master key.
Provide the checksum you generated as part of the key generation procedure. Copy and paste the checksum in the text box.
Click Upload Encrypted TDE Master Key to upload your encrypted key.
In the Warning window, click Yes to continue.

The TDE master key is replaced with your own TDE encrypted key.

Note:

Make a copy of your key and keep it safely. If you have any old keys (history), you must keep them safe as well. This is required during restoration of backups. When restoring your backup, you must provide the corresponding key that was used for the backup to Oracle. If you lose your old keys, the corresponding backup can’t be restored.

Revoking Your TDE Master Encryption Key

You can stop service access and shut down the system by revoking the TDE master encryption key. Application data and the related service will no longer be accessible. You can access the service again only by restoring the revoked key.

To revoke the TDE master encrypted key:

Sign in to Applications Console or Infrastructure Classic Console.
Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.
In the Cloud Services section, click the Action icon on the service tile to open the Service Details page. The Overview tile is in focus.
Click the Manage TDE Key tile.
Click Choose operation and select Revoke TDE Master Key.
In the Warning window, review the warning message and click Yes to continue. Make note of the TDE master key you are revoking. You’ll need the same key to restore it later.
Click Revoke TDE Master Key.

The key is revoked and data is no longer accessible.

Note:

Make a copy of the revoked key and keep it safe. You must provide the exact key that you revoked when restoring access to data. If you lose the key, data access will be lost.

Restoring Your TDE Master Encryption Key

You can restore the services that were shut down when the TDE master encryption key was revoked, by uploading the same revoked key in Infrastructure Classic Console or Applications Console. Ensure that you provide the exact same key that was revoked; otherwise, the operation will fail.

The process of restoring your master encryption key is akin to key reset. However, you needn’t generate a new key during key restoration. You only need to download the public transportation key, use it to encrypt the Master TDE Key, which is similar to the key reset operation.

To restore your services and upload the encrypted key:

Sign in to Applications Console or Infrastructure Classic Console.
Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.
In the Cloud Services section, click the Action icon on the service tile to open the Service Details page. The Overview tile is in focus.
Click the Manage TDE Key tile.
Click Download Public Transport Key.
Note that you must always use the latest public key for every transaction. Because you are restoring a key that was used previously, you must use the same key, but encrypt it with the latest public key.
Click Choose operation and select Restore TDE Master Key. Note that this operation is only enabled when the key has been revoked.
Browse and select the exact TDE master encrypted key that was revoked.
Provide the same valid checksum that you used during the reset key operation.
Click Upload Encrypted TDE Master Key to upload your encrypted key.
If successful, a message is displayed along with the progress of the restore operation.