CMEK Key Management Workflow

Learn about the supported management operations for Customer-Managed Encryption keys.

Related Topics

CMEK Key Management Operations

The OCI console allows you to perform the following CMEK management operations:

Each operation is explained in detail in the following sections.

CMEK Assign

You can use the OCI console to assign a CMEK to your dedicated environment.
Prerequisite:
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Databases, and then select NoSQL Database.
  3. Select the drop-down option in the Environment field and select your dedicated environment.
  4. Below the Environment field, the Encryption Key shows Oracle-managed key. Select the Assign link next to the Oracle-managed key.
  5. In the Assign Master Encryption Key page, select your vault from the Vault drop-down.
  6. Select your CMEK from Master Encryption Key drop-down.
  7. Select Assign.

Figure - CMEK Assignment Page


Description of Figure - follows
Description of "Figure - CMEK Assignment Page"

Oracle NoSQL Database Cloud Service validates the CMEK and then uses it to encrypt Block Volumes and Object Storage keys in the chosen dedicated environment. The dedicated environment's state changes to UPDATING until all your Block Volumes and Object Storage keys are encrypted. In this duration, you will see a notification message on the console stating Key update in progress. Note that the key updation can take up to two minutes. After the CMEK assignment, the Encryption Key reflects your CMEK and its OCID.

Figure - CMEK Assignment


Description of Figure - follows
Description of "Figure - CMEK Assignment"

CMEK Assign with a Different CMEK

You can use the OCI console to change CMEK in your dedicated environment. You use this procedure for key rotation.
Prerequisite:
  • You have created a CMEK and assigned it to your dedicated environment. For procedure, see CMEK Assign.
  • Create a different CMEK in the vault. For procedure, see CMEK Creation.
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Databases, and then select NoSQL Database.
  3. Select the drop-down option in the Environment field and select your dedicated environment.
  4. Below the Environment field, the Encryption Key shows the CMEK and its OCID. Select the Edit link below the encryption key
  5. In the Edit Master Encryption Key page, select your vault from the Vault drop-down.
  6. Select the required CMEK from Master Encryption Key drop-down.
  7. Select Update.

    Note:

    You can assign a different CMEK from the same vault or a CMEK from a different vault.

Figure - CMEK Rotation


Description of Figure - follows
Description of "Figure - CMEK Rotation"

Oracle NoSQL Database Cloud Service validates the new CMEK and then uses it to re-encrypt your Block Volumes and Object Storage keys in the chosen dedicated environment. The dedicated environment's state changes to UPDATING until all your data in Block Volumes and Object Storage is now re-encrypted. In this duration, you will see a notification message on the console stating Key update in progress. Note that the key updation can take up to two minutes. After the CMEK rotation, the Encryption Key reflects the new CMEK and its OCID.

CMEK Disable

You can use the OCI console to disable CMEK that was previously assigned to your dedicated environment.
Prerequisite:
  • You have created CMEK and assigned it to your dedicated environment. For procedure, see CMEK Assign.
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Identity & Security, and then select Vault.
  3. Select the vault where you created CMEK.
  4. Select your CMEK.
  5. In the Key Details page, select Disable and confirm the operation.

Figure - CMEK Disable


Description of Figure - follows
Description of "Figure - CMEK Disable"

CMEK's status shows disabled. The dedicated environment becomes unavailable for any operation within minutes. When you try to access the dedicated environment from the OCI console, it displays an error message that CMEK is disabled.

CMEK Delete

You can use the OCI console to delete CMEK, which you previously assigned to your dedicated environment. CMEK deletion is a two-step process with a waiting period to prevent accidental deletion.
Prerequisite:
  • You have created CMEK and assigned it to your dedicated environment. For procedure, see CMEK Assign.
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Identity & Security, and then select Vault.
  3. Select the vault where you created CMEK.
  4. Select your CMEK.
  5. In the Key Details page, select Delete Key.
  6. Select a deletion date and confirm the operation.

Figure - CMEK Deletion


Description of Figure - follows
Description of "Figure - CMEK Deletion"

CMEK's status shows pending deletion, which is equivalent to the disabled state. The dedicated environment becomes unavailable for any operation. When you try to access the dedicated environment from the OCI console, it displays an error message that CMEK is disabled and pending deletion.

After the deletion date has passed, all your data in the dedicated environment becomes permanently unusable and irretrievable. When you try to access the dedicated environment from the OCI console, it displays an error message that CMEK is permanently deleted.

CMEK Restore

You can use the OCI console to re-enable CMEK that was previously disabled.
Prerequisite:
  • CMEK is in a disabled state.
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Identity & Security, and then select Vault.
  3. Select the vault where you created CMEK.
  4. Select your CMEK.
  5. In the Key Details page, select Enable.

Figure - CMEK Restoration


Description of Figure - follows
Description of "Figure - CMEK Restoration"

You must raise a CAM ticket for bringing the dedicated environment back online after its CMEK has been re-enabled in the vault.

CMEK Removal

You can use the OCI console to remove CMEK from your dedicated environment.
Prerequisite:
  • You have created CMEK and assigned it to your dedicated environment. For procedure, see CMEK Assign.
Procedure:
  1. Sign in to your OCI console.
  2. Open the navigation menu located in the upper left corner, select Databases, and then select NoSQL Database.
  3. Select the drop-down option in the Environment field and select your dedicated environment.
  4. Below the Environment field, the Encryption Key shows the CMEK and its OCID. Select the Unassign link below the Encryption Key.

Figure - CMEK Removal


Description of Figure - follows
Description of "Figure - CMEK Removal"

Oracle NoSQL Database Cloud Service removes CMEK from the dedicated environment and assigns Oracle-managed key to it. All data in the Block Volumes and Object Storage of the chosen dedicated environment reverts to getting encrypted using an Oracle-managed encryption key. After the CMEK removal, Encryption Key reflects Oracle-managed key.