1. Using Oracle Cloud Infrastructure Process Automation
  2. Workspace Administration
  3. Enable Break Glass
  4. Provide Your Own Key

Provide Your Own Key

By default, Oracle provides and manages the TDE keys for encrypting the data in your Oracle Cloud Infrastructure Process Automation instance.

If your instance has Break Glass enabled, you can also replace the Oracle-provided private key with your own, which also enables you to rotate the keys as you require.

Note:

When you first switch to using your own key, you need to allow some time for your instance to be out of service. You should also back up any key artifacts in your instance.

Create and Import Your TDE Master Key

To provide your own key, follow these steps:

  1. In Workspace, open the navigation menu, and expand Administration. Click Break Glass.
  2. On the Provide Your Own Key page, click + Provide Your Own Key.
  3. In the Add Key dialog, click Public Key. Copy and note the key value that is displayed.
  4. Use OpenSSL to generate and encrypt your key:
    1. Create a new directory for the key and assign it to an environment variable:
      mkdir –p dir_of_key
      export KEYPATH =dir_of_key
      touch $KEYPATH/wrappingkey

      Paste the public key value that you obtained in step 3 in the wrapping key.

    2. Make sure the directory is restricted:
      chmod go-rwx $KEYPATH
    3. Generate the TDE master key:
      openssl rand 32 > $KEYPATH/clearkey
    4. Encrypt your generated TDE master key with the Oracle public wrapping key that you downloaded in step 3:
      openssl pkeyutl -encrypt -in $KEYPATH/clearkey -inkey $KEYPATH/wrappingkey -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 > $KEYPATH/wrappedkey
    5. Encode wrappedkey in Base64:
      base64 $KEYPATH/wrappedkey > $KEYPATH/wrappedkey1
    6. Remove new line characters from wrappedkey1:
      perl -p -i -e 's/\R//g;' $KEYPATH/wrappedkey1
    7. Rename the file back to wrappedkey:
      mv $KEYPATH/wrappedkey1 $KEYPATH/wrappedkey
  5. In the External Key Data Source field, upload the encrypted TDE master key ( wrappedkey, as in the above example).
  6. In the Email Address field, enter the email address of the person to notify when the reconfiguration of the Oracle Cloud Infrastructure Process Automation instance has finished and the instance is ready to be used again.
  7. Click Submit and then Confirm.

Update the Key

If you have previously provided your own TDE key for your Oracle Cloud Infrastructure Process Automation instance, you can update that key.

  1. In Workspace, open the navigation menu, and expand Administration. Click Break Glass.
  2. On the Provide Your Own Key Page, click + Update the key.
  3. Click Public Key to download the Oracle public wrapping key that you will need to encrypt your own transparent data encryption (TDE) master key.
  4. Use OpenSSL to generate and encrypt your key:
    1. Create a new directory for the key and assign it to an environment variable:
      mkdir –p dir_of_key
      export KEYPATH dir_of_key
    2. Make sure the directory is restricted:
      chmod go-rwx $KEYPATH
    3. Generate the TDE master key:
      openssl rand 32 > $KEYPATH/clearkey
    4. Encrypt your generated TDE master key with the Oracle public wrapping key that you downloaded in step 3:
      openssl pkeyutl -encrypt -in $KEYPATH/clearkey -inkey $KEYPATH/wrappingkey -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 > $KEYPATH/wrappedkey
  5. In the External Key Data Source field, upload the encrypted TDE master key.
  6. Click Submit and then Confirm.

Note:

Once you create or update your key, you have to wait 16 days or more before you can update it again.