Shows the steps to select customer-managed master encryption keys on Autonomous Database. If you are using customer-managed master encryption keys, follow these steps to rotate the master keys.
Caution:The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to the database host. If the customer-managed encryption key is disabled or deleted, the database will be inaccessible.
For details on using customer-managed keys where the Vault is located in a remote tenancy, see Use Customer-Managed Encryption Key Located in a Remote Tenancy.
On Autonomous Database you can choose customer-managed keys as follows:
While provisioning, under Advanced Options, on the Encryption Key tab.
While cloning, under Advanced Options, on the Encryption Key tab
Follow these steps if your Autonomous Database is using Oracle-managed keys and you want to switch to customer-managed encryption keys with the vault in the local tenancy, or if you are using customer-managed encryption keys and you want to rotate the master key.
- Perform the required customer-managed encryption key prerequisite steps as necessary. See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database for more information.
- On the Details page, from the More actions drop-down list, select Manage encryption key.
- On the Manage encryption key page, select
Encrypt using customer-managed key in this
If you are already using customer-managed keys and you want to rotate the TDE keys, follow these steps and select a different key (select a key that is different from the currently selected master encryption key).
- Select a Vault.
Click Change Compartment to select a vault in a different compartment.
- Select a Master encryption key.
Click Change Compartment to select a master encryption key in a different compartment.
Description of the illustration adb_switch_master_key.png
When cross-region Autonomous Data Guard is enabled the Vault and Master encryption key values show the keys that are replicated in both the primary and the remote standby region.
- Click Save Changes.
The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.
After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.
See Notes for Using Customer-Managed Keys with Autonomous Database for more information.