Prerequisites for Custom Encryption

Before you configure custom encryption for your Oracle Analytics Cloud instance, you must set up a vault with one or more master encryption keys, and ensure that you have all the required permissions.

  1. Verify that your Oracle Analytics Cloud deployment includes Enterprise Edition.

    Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition. Edition information is displayed on the Instance Details page. See Verify Your Service.

  2. Familiarize yourself with the Vault service in Oracle Cloud Infrastructure and ensure you have permissions to manage vaults, encryption keys, and secrets. See Overview of Vault and Let security admins manage vaults, keys, and secrets.
  3. Set up a vault. See Create a new vault.
  4. Add one or more custom encryption keys. See Create a new master encryption key.
  5. Check you have permissions to manage the Oracle Analytics Cloud instance and assign encryption keys.
    Specifically, you must belong to group that's granted permissions to:
    • Create Oracle Analytics Cloud instances.
    • Browse vaults and keys to enable key selection.
    • Assign a key to an Oracle Analytics Cloud instance. This is required in addition to the permission to browse keys. The ability to assign keys to resources in Oracle Cloud Infrastructure requires an additional, separate permission.

    For example, grant the following permissions to a user in the group OACAdmins. Where <OAC-compartment-name> is the compartment where the Analytics instance resides. <KEY-compartment-name> is the compartment where the key resides.

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to manage Analytics instances located in <OAC-compartment-name>. For example, MyOACCompartment.

    allow group OACAdmins to manage analytics-instances in compartment <OAC-compartment-name>

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to browse and select vaults and keys located in <KEY-compartment-name>. For example, MyKeyCompartment.

    allow group OACAdmins to read vaults in compartment <KEY-compartment-name>

    allow group OACAdmins to read keys in compartment <KEY-compartment-name>

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to assign encryption key MyKey1 located in <KEY-compartment-name>. For example, MyKeyCompartment.

    allow group OACAdmins to use key-delegate in compartment <KEY-compartment-name> where target.key.id = '<MyKey1_ocid>'

    # Allow Analytics instances located in MyOACCompartment to encrypt/decrypt with MyKey1 located in MyKeyCompartment

    allow any-user to use keys in compartment MyKeyCompartment where all { request.principal.type='analyticsinstance', request.principal.compartment.id='<MyOACCompartment_ocid>', target.key.id='<MyKey1_ocid>'}

    # Allow the Object Storage service to encrypt and decrypt Oracle Analytics Cloud private buckets with MyKey1 located in MyKeyCompartment (add one statement for each subscribed region)

    allow service objectstorage-<region_name> to use keys in compartment MyKeyCompartment where target.key.id = '<MyKey1_ocid>'