Rotate Encryption Keys

This article describes the prerequisite tasks for using customer-managed keys with Autonomous Database on Dedicated Exadata Infrastructure.

Rotate the Encryption Key of an Autonomous Container Database

Required IAM Policies

manage autonomous-container-databases

Procedure

1. Go to the Details page of the Autonomous Container Database whose encryption key you want to rotate.

   For instructions, see View Details of an Autonomous Container Database.

2. Click Rotate Encryption Key.

3. In the Rotate Encryption Key dialog, confirm that you want to rotate the key by clicking Rotate Key.

   The Autonomous Container Database goes to the Updating status, the encryption key is rotated, and the Autonomous Container Database goes back to the Active status. How the encryption key is rotated depends on whether it is Oracle-managed or customer-managed:

   • Oracle-managed key: Oracle Autonomous Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous Container Database resides.
   • Customer-managed key: Oracle Autonomous Database uses the underlying technology (Oracle Cloud Infrastructure Vault for container databases on Oracle Cloud or Oracle Key Vault for container databases on Exadata Cloud@Customer) to rotate the key and store the new value as a new version of the key in underlying technology, and then associates this new version with the Autonomous Container Database.

     You can view the latest Key Version OCID and the entire Key History from your Autonomous Container Database details page.

     Note:

     In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.

Rotate the Encryption Key of an Autonomous Database

You rotate the encryption key of an Autonomous Database from its Details page.

1. Go to the Details page of the Autonomous Database whose encryption key you want to rotate.

   For instructions, see View Details of a Dedicated Autonomous Database.

2. Click More Actions and then click Rotate Encryption Key.

3. In the Rotate Encryption Key dialog, confirm that you want to rotate the key by clicking Rotate Key.

   The Autonomous Database goes to the Updating status, the encryption key is rotated, and the Autonomous Database goes back to the Active status. How the encryption key is rotated depends on whether it is Oracle-managed or customer-managed:

   • Oracle-managed key: Oracle Autonomous Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous Database resides.
   • Customer-managed key: Oracle Autonomous Database uses the underlying technology (Oracle Cloud Infrastructure Vault for databases on Oracle Cloud or Oracle Key Vault for databases on Exadata Cloud@Customer) to rotate the key and store the new value as a new version of the key in underlying technology, and then associates this new version with the Autonomous Database.

     You can view the latest Key Version OCID and the entire Key History from your Autonomous Database details page.

     Note:

     In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.

---

Title and Copyright Information

Rotate Encryption Keys

Copyright © 2021, 2023, Oracle and/or its affiliates.