Perform these prerequisite steps to use customer-managed keys on Autonomous Database:
- Create an Oracle Cloud Infrastructure Vault.
- Open the Oracle Cloud Infrastructure Console by clicking the next to Oracle Cloud.
- From the Oracle Cloud Infrastructure left navigation menu click Identity and Security, and then click Vault.
- Select an existing Vault or create a new Vault.
For more details, see the instructions for creating a vault, To create a new vault.
- Create a Master Encryption Key in the Vault.
Note:You must use these options when you create the key:
Key Shape: Algorithm: AES (Symmetric key used for Encrypt and Decrypt)
Key Shape: Length: 256 bits
- Create a dynamic group to make the master encryption key accessible to Autonomous Database.
- In the Oracle Cloud Infrastructure console click Identity and Security and click Dynamic Groups
- Click Create Dynamic Group and enter a Name, a Description, and a rule or use the Rule Builder to add a rule.
- Click Create.
Create Dynamic Group for an existing database:
You can specify that an Autonomous Database instance is part of the dynamic group. The dynamic group in the following example includes only the Autonomous Database whose OCID is specified in the
resource.id = 'ocid1..oc1.iad.amaaaaaani______ci2q'
Create a Dynamic Group for a database that has not been provisioned yet:
When you are creating the dynamic group before you provision or clone an Autonomous Database instance, the OCID for the new database is not yet available. For this case, create a dynamic group that specifies the resources in a given compartment:
resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaamtlzh2vpqw5twx'
See Perform Prerequisites to Use Resource Principal with Autonomous Database for more information.
- Write policy statements for the dynamic group to enable access to Oracle Cloud
Infrastructure resources (vaults and keys):
- In the Oracle Cloud Infrastructure console click Identity and Security and click Policies.
- To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
- Use the Policy Builder to create a policy.
For example the following allows the members of the dynamic group
DGKeyCustomer1to access the vaults and keys in the compartment named
Allow dynamic-group DGKeyCustomer1 to use vaults in compartment training Allow dynamic-group DGKeyCustomer1 to use keys in compartment training
This sample policy applies for a single compartment. You can specify that a policy applies for your tenancy, a compartment, a resource, or a group of resources.
- Click Create.
See Managing Policies for more information on policies.