Use Customer-Managed Encryption Keys on Autonomous Database

Shows the steps to select customer-managed master encryption keys on Autonomous Database. If you are using customer-managed master encryption keys, follow these steps to rotate the master keys.

Caution:

The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to the database host. If the customer-managed encryption key is disabled or deleted, the database will be inaccessible.

On Autonomous Database you can choose customer-managed keys as follows:

  • While provisioning, under Advanced Options, on the Encryption Key tab select Encrypt using customer-managed keys.

  • While cloning, under Advanced Options, on the Encryption Key tab select Encrypt using customer-managed keys.

  • From an existing database, follow the steps in this section.

Follow these steps if your Autonomous Database is using Oracle-managed keys and you want to switch to customer-managed encryption keys, or if you are using customer-managed encryption keys and you want to rotate the master key.

  1. Perform the required customer-managed encryption key prerequisite steps as necessary. See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database for more information.
  2. On the Details page, from the More Actions drop-down list, select Manage Encryption Key.
  3. On the Manage Encryption Key page, select Encrypt using customer-managed keys.

    If you are already using customer-managed keys and you want to rotate the TDE keys, follow these steps and select a different key (select a key that is different from the currently selected master encryption key).

  4. Select a Vault.

    Click Change Compartment to select a vault in a different compartment.

  5. Select a Master encryption key.

    Click Change Compartment to select a master encryption key in a different compartment.

    Description of adb_switch_master_key.png follows
    Description of the illustration adb_switch_master_key.png
  6. Click Save Changes.

The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.

After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.