About Master Encryption Key Management on Autonomous Database

Autonomous Database provides two options for Transparent Data Encryption (TDE) to encrypt your database: Oracle-managed encryption keys and Customer-managed encryption keys.

Autonomous Database uses Transparent Data Encryption, including a TDE master key and TDE tablespace keys to encrypt data in the database. As shown in the following figure, the TDE master key generates and encrypts/decrypts the TDE tablespace keys, and the TDE tablespace keys encrypt the data files.

Description of adb_kms_keys.png follows
Description of the illustration adb_kms_keys.png

Oracle-Managed Master Encryption Keys on Autonomous Database

By default, Autonomous Database uses Oracle-managed encryption keys.

Using Oracle-managed keys, Autonomous Database creates and manages the encryption keys that protect your data and Oracle handles rotation of the TDE master key.

Customer-Managed Master Encryption Keys on Autonomous Database

With customer-managed master encryption keys, Autonomous Database uses the master encryption key in a customer-managed key vault to generate the TDE master key. If your organization's security policies require customer-managed encryption keys, you can configure Autonomous Database to use a master encryption key in the following key management systems: