Rotate Encryption Keys
You can rotate the master encryption keys associated with an Autonomous AI Database on Dedicated Exadata Infrastructure using the Oracle Cloud Infrastructure Console.
Rotate the Encryption Key of an Autonomous Container Database
Required IAM Policies
manage autonomous-container-databases
Procedure
-
Go to the Details page of the Autonomous Container Database whose encryption key you want to rotate.
For instructions, see View Details of an Autonomous Container Database.
-
Under Actions, click Rotate Encryption Key.
-
(Optional) To use a customer encryption key (BYOK), select Rotate using the customer-provided key (BYOK). BYOK is supported in Oracle Public Cloud only.
-
For External KMS: Each third-party key is automatically assigned a key version in the external HSM.
-
Rotate the third-party keys in the external HSM so that the external HSM generates a new key version.
-
Copy the version ID of the rotated key and use it to rotate the key reference in OCI Key Management (EKMS) so that OCI Key Management (EKMS) can create a new Key version OCID.
-
Copy the newly created Key Version OCID from EKMS.
-
-
For OCI Vaults: Enter the OCID of the imported customer encryption key in Key Version OCID. The Key Version OCID that you enter should be associated with the current encryption key of the Autonomous Container Database.
-
-
Click Rotate encryption Key.
The Autonomous Container Database goes to the Updating status, the encryption key is rotated, and the Autonomous Container Database goes back to the Active status. How the encryption key is rotated depends on whether it is Oracle-managed or customer-managed :
-
Oracle-managed key: Autonomous AI Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous Container Database resides.
-
Customer-managed key: Autonomous AI Database uses the underlying technology (Oracle Cloud Infrastructure Vault for Autonomous Container Databases on Oracle Public Cloud and Multicloud deployments, or Oracle Key Vault (OKV) for Autonomous Container Databases on either Oracle Public Cloud or Exadata Cloud@Customer, or AWS KMS for Autonomous AI Database on Oracle Database@AWS) to rotate the key and store the new value as a new version of the key in underlying technology, and then associates this new version with the Autonomous Container Database.
Rotating the AWS KMS key generates a new encryption context for the same key.
You can view the latest Key Version OCID and the entire Key History from your Autonomous Container Database details page. This is not applicable for AWS KMS keys.
Note: In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.
Rotate the Encryption Key of an Autonomous AI Database
You rotate the encryption key of an Autonomous AI Database from its Details page.
-
Go to the Details page of the Autonomous AI Database whose encryption key you want to rotate.
For instructions, see View Details of a Dedicated Autonomous AI Database.
-
On Oracle Public Cloud, click Rotate Encryption Key under More actions, and on Exadata Cloud@Customer, click Rotate Encryption Key under Actions.
-
(Optional) To use a customer encryption key (BYOK), select Rotate using the customer-provided key (BYOK). BYOK is supported in Oracle Public Cloud only.
-
For External KMS: Each third-party key is automatically assigned a key version in the external HSM.
-
Rotate the third-party keys in the external HSM so that the external HSM generates a new key version.
-
Copy the version ID of the rotated key and use it to rotate the key reference in OCI Key Management (EKMS) so that OCI Key Management (EKMS) can create a new Key version OCID.
-
Copy the newly created Key Version OCID from EKMS.
-
-
For OCI Vaults: Enter the OCID of the imported customer encryption key in Key Version OCID. The Key Version OCID that you enter should be associated with the current encryption key of the Autonomous Container Database.
-
-
Click Rotate encryption Key.
The Autonomous AI Database goes to the Updating status, the encryption key is rotated, and the Autonomous AI Database goes back to the Active status. How the encryption key is rotated depends on whether it is Oracle-managed or customer-managed:
-
Oracle-managed key: Autonomous AI Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous AI Database resides.
-
Customer-managed key: Autonomous AI Database uses the underlying technology (Oracle Cloud Infrastructure Vault for Autonomous Container Databases on Oracle Public Cloud and Multicloud deployments, or Oracle Key Vault (OKV) for Autonomous Container Databases on either Oracle Public Cloud or Exadata Cloud@Customer, or AWS KMS for Autonomous AI Database on Oracle Database@AWS) to rotate the key and store the new value as a new version of the key in underlying technology, and then associates this new version with the Autonomous Container Database.
Rotating the AWS KMS key generates a new encryption context for the same key.
You can view the latest Key Version OCID and the entire Key History from your Autonomous Container Database details page. This is not applicable for AWS KMS keys.
Note: In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.