Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Assign and Manage a new Encryption Key Version to a CDB or PDB on Oracle Base Database Service
Introduction
We are pleased to announce the general availability (GA) of Bring Your Own Key (BYOK) support on Oracle Base Database Service. For databases whose master encryption key is being managed using Oracle Cloud Infrastructure (OCI) Vault service, this feature allows you to assign key versions separately to the Container Databases (CDBs) and the Pluggable Databases (PDBs) after provisioning. In addition, key rotation can now be independently performed on the CDBs and the PDBs.
Note: This feature leverages the bring-your-own-key experience by assigning a key version of your choice separately to the CDB or PDB, providing enough isolation for maintaining the master encryption key.
Objectives
-
Assign a new encryption key version to a CDB or PDB.
-
Rotate the encryption key for a CDB or PDB.
Prerequisites
- A master encryption key for a CDB or PDB that is stored in the OCI Vault.
Task 1: Assign a new Encryption Key Version to a Container Database or Pluggable Database
-
Log in to the OCI Console, go to Oracle Database and click Oracle Base Database Service.
-
Click the name of the DB system that contains the CDB and PDB to which you want to assign the new encryption key version.
-
In the Databases section of the DB System Details page, click the name of the database (CDB) for which you want to assign a new encryption key.
-
In the Database Details page, click the More Actions drop-down menu and Manage Encryption Key.
-
Select Assign a new key version, enter key version OCID copied from the master encryption key stored in the OCI Vault and click Update.
Note: This key version should belong to the same key that the CDB or the PDB is assigned to.
You can copy the Key version OCID for a CDB or a PDB by navigating to Key Management & Secret Management and Vault. Select the vault and keys where the master encryption key is stored.
To assign a new key version to a PDB, go to PDB details page, More actions, Manage encryption key and click Assign a new key version. Enter the key version OCID for the PDB copied from the master encryption key stored in the OCI Vault and click Update.
Task 2: Rotate Encryption Key for a Container Database or Pluggable Database
Rotate key is an existing feature on the CDB level. We are extending this functionality to the PDB level. Now, this works independently at the CDB and PDB levels. Rotating the key of the CDB will generate a new key version for the CDB only. Similarly, rotating the key of the PDB will generate a new key version for the PDB only.
-
Navigate to the Database details page of the Container Database or Pluggable Database.
-
Click the More Actions drop-down menu and Manage Encryption Key.
-
Select Rotation Encryption Key and click Update.
Note: Rotating the key of the CDB will generate a new key version for the CDB only. Similarly, rotating the key of the PDB will generate a new key version for the PDB only.
To rotate the encryption key for a Pluggable Database, go to PDB Details page, click the More Actions drop-down menu and Manage Encryption Keys. Select Rotation Encryption Key and click Update.
Related Links
Acknowledgments
- Authors - Pravin Jha, Tammy Bednar, Leo Alvarado (Product Management)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Assign and Manage a new Encryption Key Version to a CDB or PDB on Oracle Base Database Service
G14585-01
September 2024