About Encryption in Oracle Analytics Cloud

Oracle Analytics Cloud provides two data encryption options:

  • Oracle-managed encryption keys
  • Customer-managed encryption keys

About Oracle-managed Encryption Keys

By default, Oracle manages encryption of data within Oracle Analytics Cloud using Oracle-managed keys. This doesn't include data in other platforms under your direct control. For example, data stored in cloud databases or on-premises databases that Oracle Analytics Cloud connects to.

About Customer-managed Encryption Keys

Optionally, you can use Vault services in Oracle Cloud Infrastructure to create and manage your own encryption keys for Oracle Analytics Cloud. Your customer-managed keys are used to encrypt Oracle Analytics Cloud data such as file-based datasets, any data in datasets that's configured for caching, and credentials used to connect to your data sources.

First, you create your customer-managed keys in Oracle Cloud Infrastructure Vault. Once set up, you can assign a custom encryption key to your Oracle Analytics Cloud instance. You can either specify the customer-managed key when you create your Oracle Analytics Cloud instance or assign the customer-managed key to an existing instance.

Note:

To use custom encryption, your Oracle Analytics Cloud instance must be deployed with Enterprise Edition. Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition.

To configure custom encryption, you must have permissions to manage the Oracle Analytics Cloud instance, create and assign encryption keys, and access Oracle Cloud Infrastructure Object Storage. See Prerequisites for Custom Encryption.

Caution:

The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to your Oracle Analytics Cloud instance. Deleting or disabling a customer-managed key makes your content within Oracle Analytics Cloud unreadable for everyone, including Oracle, and your Oracle Analytics Cloud instance will be inaccessible.

About Rotating Customer-managed Encryption Keys

Oracle recommends that you rotate your custom encryption key from time-to-time to maintain security compliance. After rotating your custom encryption key in Oracle Cloud Infrastructure Vault, you must assign the new key version to your Oracle Analytics Cloud instance.

  1. In Oracle Cloud Infrastructure Vault, rotate the key. See Rotate a master encryption key.
  2. In your Oracle Analytics Cloud instance, assign the new key version. See Rotate the custom encryption key.