About Master Encryption Key Management on Autonomous Database

Autonomous Database provides two options for Transparent Data Encryption (TDE) to encrypt your database:

  • Oracle-managed encryption keys
  • Customer-managed encryption keys

Autonomous Database uses Transparent Data Encryption, including a TDE master key and TDE tablespace keys to encrypt data in the database. As shown in the following figure, the TDE master key generates and encrypts/decrypts the TDE tablespace keys, and the TDE tablespace keys encrypt the data files.

Description of adb_kms_keys.png follows
Description of the illustration adb_kms_keys.png

Oracle-Managed Master Encryption Keys on Autonomous Database

By default Autonomous Database uses Oracle-managed encryption keys.

Using Oracle-managed keys, Autonomous Database creates and manages the encryption keys that protect your data and Oracle handles rotation of the TDE master key.

Customer-Managed Encryption Keys on Autonomous Database

If your organization's security policies require customer-managed encryption keys, you can configure Autonomous Database to use an Oracle Cloud Infrastructure Vault master encryption key. With customer-managed master encryption keys, Autonomous Database uses the master encryption key to generate the TDE master key, and the TDE master key is encrypted using the Oracle Cloud Infrastructure Vault master key and stored locally on the database.

Caution:

The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to the database host. If the customer-managed encryption key is disabled or deleted, the database will be inaccessible.

Use customer-managed encryption keys by performing the following steps:

  1. Create a master encryption key in your Oracle Cloud Infrastructure Vault.

    See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database for more information.

  2. Select customer-managed encryption keys from the Oracle Cloud Infrastructure Console:

    • For an existing database, select Manage Encryption Key on the Oracle Cloud Infrastructure Console.

      See Use Customer-Managed Encryption Keys on Autonomous Database for details.

    • While provisioning, under Advanced Options, on the Encryption Key tab select Encrypt using customer-managed keys.

    • While cloning, under Advanced Options, on the Encryption Key tab select Encrypt using customer-managed keys.

About Customer-Managed Encryption Key Rotation on Autonomous Database

Describes how to rotate customer-managed encryption keys on Autonomous Database.

When you rotate the customer-managed master encryption key, Autonomous Database generates a new TDE master key and uses the new TDE master key to re-encrypt the tablespace encryption keys that encrypt and decrypt your data. This operation is fast and does not require database downtime. It does not change the tablespace keys and does not re-encrypt customer data.

Note:

Using the Oracle Cloud Infrastructure Console you can rotate an Oracle Cloud Infrastructure Vault master encryption key with the Rotate Key command. This is a separate action and does not result in a new master encryption key for your Autonomous Database. To rotate the master encryption key of your Autonomous Database, create a new master encryption key in Oracle Cloud Infrastructure Vault and follow the steps described below.

To rotate customer-managed encryption keys:

  1. Create a new master encryption key in your Oracle Cloud Infrastructure Vault. If you already have multiple master encryption keys, then select a master encryption key that is different than the key you are using as your master encryption key for your Autonomous Database instance.

    See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database for more information.

  2. Rotate the master encryption key from the Oracle Cloud Infrastructure Console:

    See Use Customer-Managed Encryption Keys on Autonomous Database for more information.