Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database

Perform these prerequisite steps to use customer-managed keys on Autonomous Database:

  1. Create an Oracle Cloud Infrastructure Vault.
    1. Open the Oracle Cloud Infrastructure Console by clicking the navigation iconnext to Oracle Cloud.
    2. From the Oracle Cloud Infrastructure left navigation menu click Identity and Security, and then click Vault.
    3. Select an existing Vault or create a new Vault.

      For more details, see the instructions for creating a vault, To create a new vault.

  2. Create a Master Encryption Key in the Vault.

    Note:

    You must use these options when you create the key:
    • Key Shape: Algorithm: AES (Symmetric key used for Encrypt and Decrypt)

    • Key Shape: Length: 256 bits

    For more information, see To create a new master encryption key and Overview of Key Management.

  3. Create a dynamic group to make the master encryption key accessible to Autonomous Database.
    1. In the Oracle Cloud Infrastructure console click Identity and Security and click Dynamic Groups
    2. Click Create Dynamic Group and enter a Name, a Description, and a rule or use the Rule Builder to add a rule.
    3. Click Create.
    • Create Dynamic Group for an existing database:

      You can specify that an Autonomous Database instance is part of the dynamic group. The dynamic group in the following example includes only the Autonomous Database whose OCID is specified in the resource.id parameter:

      resource.id = 'ocid1..oc1.iad.amaaaaaani______ci2q'
    • Create a Dynamic Group for a database that has not been provisioned yet:

      When you are creating the dynamic group before you provision or clone an Autonomous Database instance, the OCID for the new database is not yet available. For this case, create a dynamic group that specifies the resources in a given compartment:

      resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaamtlzh2vpqw5twx'
  4. Write policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (vaults and keys):
    1. In the Oracle Cloud Infrastructure console click Identity and Security and click Policies.
    2. To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
    3. Use the Policy Builder to create a policy.

      For example the following allows the members of the dynamic group DGKeyCustomer1 to access the vaults and keys in the compartment named training:

      Allow dynamic-group DGKeyCustomer1 to use vaults in compartment training
      Allow dynamic-group DGKeyCustomer1 to use keys in compartment training

      This sample policy applies for a single compartment. You can specify that a policy applies for your tenancy, a compartment, a resource, or a group of resources.

    4. Click Create.

    See Managing Policies for more information on policies.