Bring Your Own Key (BYOK) Overview

Bring Your Own Key (BYOK) lets you use and manage your own encryption keys to secure data in Oracle Fusion Cloud Enterprise Performance Management and Oracle Fusion Cloud Enterprise Data Management environments.

By default, the service uses an Oracle-managed Transparent Data Encryption (TDE) key to encrypt data. With BYOK, you use customer-managed keys stored in Oracle Cloud Infrastructure (OCI) Vault.

Key Capabilities

  • Maintain full control over encryption keys
  • Use OCI Vault for secure key management
  • Import externally generated keys into OCI Vault
  • Align encryption with compliance and regulatory requirements
  • Centrally manage and audit encryption keys

Setting Up BYOK

Before you begin, ensure that Oracle Break Glass is enabled for your environments.

To set up BYOK:
  1. Submit a Service Request (SR) to enable BYOK on your environments. See Creating a Request to Enable Bring Your Own Key (BYOK) in Operations Guide
  2. Obtain the following OCIDs from the SR:
    • EPM Cloud tenancy OCID
    • Database dynamic group OCID
    • Instance principal dynamic group OCID
  3. Create an OCI vault or select an existing vault.
  4. For each region in each tenancy, do the following:
    • Create or import one encryption key in the vault for production environments.
    • Create or import another encryption key in the vault for test environments.
  5. Create IAM policies using the provided OCIDs.
  6. For each region in each tenancy, do the following:
    • Assign the test key created or imported for that region and tenancy to one test environment. All test environments in this region and tenancy use the same test key.
    • Assign the production key created or imported for that region and tenancy to one production environment. All production environments in that region and tenancy use the same production key.

Considerations

  • Provide one vault and key combination per environment type (test and production), for each region in each tenancy.

    Example: If you have two tenancies, each with four production environments and four test environments across two regions, you need:

    • 4 production keys (one per tenancy per region)
    • 4 test keys (one per tenancy per region)

    Total: 8 keys

  • After you create a new environment, submit a new SR to enable BYOK for that environment.
  • If the environment belongs to an existing tenancy and region where you have already configured BYOK, you do not need to create or configure new keys.