Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Integrate Customer-Managed Keys with Full Clone Option for Oracle Autonomous Database Serverless in DR Drill Plans

Introduction

Oracle Cloud Infrastructure Full Stack Disaster Recovery (OCI Full Stack DR) orchestrates the transition of compute, database, and applications between Oracle Cloud Infrastructure (OCI) regions from around the globe with a single click. Customers can automate the steps needed to recover one or more business systems without redesigning or re-architecting existing infrastructure, databases, or applications and without needing specialized management or conversion servers.

Oracle Autonomous Database Serverless provides an easy-to-use, fully autonomous database that scales elastically and delivers fast query performance. As a service, Oracle Autonomous Database does not require traditional database administration.

Some of the key features of Autonomous Database Serverless are:

• No need to configure or manage any hardware.
• No need to install any software.
• Handles the following automatically:
  • Provisioning the database.
  • Backing up the database.
  • Patching and upgrading.
  • Scaling the database up or down based on usage.
• Completely elastic service.

Autonomous Database Serverless provides two options for Transparent Data Encryption (TDE) to encrypt your database.

• Oracle-managed encryption keys.

• Customer-managed encryption keys(CMK).

With OCI Full Stack DR, while creating DR drill plan types, there are three options to choose for Autonomous Database Serverless clone type. This supports multiple clone types. Let us see the details.

• Refreshable Clone:

  • Creates a read-only full clone.
  • Can be refreshed with data from the source database.

• Full Clone:

  • Creates a new database with the source database data and metadata.
  • Full clone is a standlone database created from source database, which means you cannot refresh the data from the source database.

• Snapshot Standby:

  • Converts a disaster recovery peer to a snapshot standby.
  • Opens the database in read-write mode.
  • Temporarily stops data refresh from the source database.

The default pre-selected option is to create and use a Refreshable Clone for DR drills. However, if you select the Full Clone option for performing DR drills, a new feature now allows you to specify a customer managed key to be used when creating the Full Clone.

Note: This feature is only applicable for DR Drill plans when using the Full Clone option. Autonomous Database Serverless does not support the use of customer managed keys when creating a Refreshable Clone.

For more information about Autonomous Database Serverless and its clone types, see Using Oracle Autonomous Database Serverless Manage the Service.

For more information about master encryption key management, see About Master Encryption Key Management on Autonomous Database.

Architecture Description

This tutorial explains how to add Autonomous Database Serverless with Customer-managed encryption keys in the OCI Full Stack DR Start Drill plan with the Full Clone option.

In this setup, the Autonomous Database Serverless is set up with cross-region Oracle Autonomous Data Guard from the primary to the standby region.

To set this up in OCI Full Stack DR, make sure to add the primary Autonomous Database Serverless in the primary protection group and standby Autonomous Database Serverless in the standby protection group.

This feature is only available when you select Full Clone in the Standby Type for DR drill member properties while adding the Autonomous Database Serverless members.

During the Start Drill plan execution, OCI Full Stack DR will create an Autonomous Database Serverless database with the provided Customer-managed keys in the standby region.

Definitions and Assumptions throughout the Tutorial

• Regions:

  • Region 1 is London: London will initially serve as the primary region.

  • Region 2 is Frankfurt: Frankfurt will initially function as the standby region.

• Compartments: You are free to organize this deployment and OCI Full Stack DR into any compartment scheme that works within your standards for IT governance. We have chosen to organize all the OCI resources for this tutorial in one single compartment.

Objectives

The following tasks will be covered in this tutorial:

• Task 1: Verify the vaults, encryption keys and secrets in both regions.
• Task 2: Verify that the Autonomous Database Serverless Oracle Autonomous Data Guard and the database is using customer-managed encryption keys in both regions.
• Task 3: Create DR Protection Groups (DRPGs) in both regions.
• Task 4: Add members to the DR Protection Groups.
• Task 5: Create the Start Drill plan in Region 2.
• Task 6: Run the prechecks and Start Drill plan in Region 2.
• Task 7: Create stop drill plan in Region 2.
• Task 8: Run the prechecks and stop drill plan in Region 2.

Prerequisites

We will use the following resources to start with the tutorial. By the end of the tutorial, we will create DR protection groups in both regions, add members, create DR plans and run those plans.

Resources	Region 1 - London	Region 2 - Frankfurt
Object Storage Bucket	fsdr-bucket-lon	fsdr-bucket-fra
Autonomous Database	appev	appdev_FRA
Vault	fsdr-vault-santhosh-lhr	fsdr-vault-santhosh-lhr
Encryption key	suraj	suraj
Secret (DB admin pwd)	atp-lon	atp-lon

In this tutorial, we will show how to add Autonomous Database Serverless with customer-managed keys for the start drill DR plan full clone option. You must go ahead and complete all the required prerequisites before proceeding further. These steps lay the foundation for a smooth and successful OCI Full Stack DR setup. Skipping any of them could cause issues during DR plan executions.

• Admin Access or Required Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) Policies: Ensure you have administrator privileges or configure the necessary OCI IAM policies to use OCI Full Stack DR. For more information, see:

  • IAM Policy Documentation
  • Configuring IAM Policies (Blog)

• Create OCI Object Storage Buckets in both Regions: These buckets will store logs generated during DR operations. For more information, see Object Storage for Logs.

• Create Autonomous Database Serverless in the Primary Region and Setup Cross-Region Oracle Autonomous Data Guard in the DR Region: For more information, see:

  • Provision or Clone an Autonomous Database.
  • Add a Cross-Region Standby Database.

• Create Vault, Keys and Replicate Vault and its keys in the DR Region: For more information, see:

  • Creating a Vault.
  • Replicating a Vault and Its Keys.

• Create Database Secrets in the Vault in the both Regions: For more information, see Managing Vault Secrets.

Task 1: Verify the Vaults, Encryption Keys and Secrets in both Regions

Note: This task is only to verify the pre-created vaults, encryption keys and secrets in both region. If you have not created those, create it as per the prerequisites.

1. Go to the OCI Console and navigate to Vault as shown in Figure 1.1.

   1. Ensure the OCI region context is set to Region 1 (London).
   2. Click Identity & Security.
   3. Click Key Management & Secret Management.
   4. Click Vault.
   5. Select the fsdr-vault-santhosh-lhr vault.
   6. Verify the Replication Role, it should show as Source.
   7. Navigate to Master Encryption Keys and you should see the key suraj which we will use as customer-managed keys in the Autonomous Database Serverless database.
   8. Navigate to Secrets and you should have see the secret atp-lon which we will use while adding the autonomous database as a member in the OCI Full Stack DR protection group.

   
   Figure 1.1: Verify vault in region 1

   
   Figure 1.2: Verify the master encryption key in region 1

   
   Figure 1.3: Verify the secret in region 1

   Note:

   • Vault replication will automatically replicate the master encryption keys from the source region to the destination region, hence you do not have to create the master encryption key in region 2.
   • Secrets (atp-lon) must be created manually in each region, vault replication will not replicate the secrets.

2. Go to the OCI Console and navigate to Vault as shown in Figure 1.4.

   1. Ensure the OCI region context is set to Region 1 (Frankfurt).
   2. Click Identity & Security.
   3. Click Key Management & Secret Management.
   4. Click Vault.
   5. Select the fsdr-vault-santhosh-lhr vault.
   6. Verify the Replication Role, it should show as Destination.
   7. Navigate to Master Encryption Keys and you should see the key suraj which we will use as customer-managed keys in the Autonomous Database Serverless database.
   8. Navigate to Secrets and you should have see the secret atp-fra which we will use while adding the autonomous database as a member in the OCI Full Stack DR protection group.

   
   Figure 1.4: Verify vault in region 2

   
   Figure 1.5: Verify the master encryption key in region 2

   
   Figure 1.6: Verify the secret in region 2

   Note: Secrets (atp-fra) must be created manually in each region, vault replication will not replicate the secrets.

Task 2: Verify that the Autonomous Database Serverless, Oracle Autonomous Data Guard and the Database is using Customer-Managed Encryption Keys in both Regions

Note: This task is only to verify the pre-created Autonomous Database Serverless database with a cross-region Oracle Autonomous Data Guard setup, is created as per the prerequisites.

1. Go to the OCI Console and navigate to Autonomous Databases as shown in Figure 2.1.

   1. Ensure the OCI region context is set to Region 1 (London).
   2. Click Oracle Database.
   3. Click Autonomous Database.
   4. Select the appdev database.
   5. The appdev database will be in Primary role.
   6. Navigate to the Encrption section in the Autonomous Database information.
   7. Click Disaster recovery.
   8. Verify the Peer Autonomous database details. It should show the database name, Peer role, Region, DR type. The Oracle Autonomous Data Guard will be enabled in Region 2 (Frankfurt).

   
   Figure 2.1: Verify ADB CMK in region 1

   
   Figure 2.2: Verify Autonomous Data Guard in region 1

2. Go to the OCI Console and navigate to Autonomous Databases as shown in Figure 2.3.

   1. Ensure the OCI region context is set to Region 1 (Frankfurt).
   2. Click Oracle Database.
   3. Click Autonomous Database.
   4. Select the appdev_FRA database.
   5. The appdev_FRA database will be in Standby role.
   6. Navigate to the Encrption section in the Autonomous Database information.
   7. Click Disaster recovery.
   8. Verify the Peer Autonomous database details. It should show the database name, Peer role, Region, DR type. The Oracle Autonomous Data Guard will be enabled in Region 1 (London).

   
   Figure 2.3: Verify ADB CMK in region 2

   
   Figure 2.4: Verify Autonomous Data Guard in region 2

Task 3: Create DR Protection Groups (DRPGs) in both Regions

Create DR protection groups in Region 1 and Region 2 if the protection groups for this application stack do not exist yet.

Task 3.1: Create a Protection Group in Region 1

1. Go to the OCI Console and navigate to DR Protection Groups as shown in Figure 3.1.

   1. Ensure the OCI region context is set to Region 1 (London).
   2. Click Migration & Disaster Recovery.
   3. Click DR Protection Groups.

   
   Figure 3.1: Navigate to DR protection groups

2. Create a basic DR protection group (DRPG) in Region 1 as shown in Figure 3.2. The peer, role and members will be assigned in later steps.

   1. Select the Compartment where you want the DRPG to be created.
   2. Click Create DR protection group.
   3. Enter Name for the DRPG.
   4. Select OCI Object Storage bucket for OCI Full Stack DR logs.
   5. Click Create.

   
   Figure 3.2: Parameters needed to create DR protection group in region 1

Task 3.2: Create a Protection Group in Region 2

1. Go to the OCI Console and navigate to DR Protection Groups as shown in Figure 3.3.

   1. Ensure the OCI region context is set to Region 2 (Frankfurt).
   2. Click Migration & Disaster Recovery.
   3. Click DR Protection Groups.

   
   Figure 3.3: Navigate to DR protection groups

2. Create a basic DR protection group (DRPG) in Region 2 as shown in Figure 3.4. The peer, role and members will be assigned in later steps.

   1. Select the Compartment where you want the DRPG to be created.
   2. Click Create DR protection group.
   3. Enter Name for the DRPG.
   4. Select OCI Object Storage bucket for OCI Full Stack DR logs.
   5. Click Create.

   
   Figure 3.4: Parameters needed to create DR protection group in region 2

Task 3.3: Associate Protection Groups in Region 1 and Region 2

Associate the DRPGs in each region as peers of each other and assign the peer roles of primary and standby. The roles of primary and standby are automatically changed by OCI Full Stack DR as part of any DR operation/DR plan execution; there is no need to manage the roles manually at any time.

1. Go to the DR protection group details page.

   1. Ensure OCI region context is set to Region 1 (London).
   2. Click Associate to begin the process.

   
   Figure 3.5 Begin DRPG association

2. Enter the parameters as shown in the following image.

   1. Role: Select Primary role. OCI Full Stack DR will assign the standby role to Region 2 automatically.
   2. Peer region: Select Region 2 (Frankfurt), where the other DRPG was created.
   3. Peer DR protection group: Select the peer DRPG that was created.
   4. Click Associate.

   
   Figure 3.6: Parameters needed to associate the DRPGs

OCI Full Stack DR will show something like as shown in the following image, once the association is completed.

• The current primary peer DRPG is London (region 1).

• The current standby peer DRPG is Frankfurt (region 2).

Figure 3.7: Showing the peer relationship from the individual DRPG perspective

The same information can be found whenever the context/view is from a global perspective showing all DR protection groups as shown in the following image.

• The current primary peer DRPG is London (region 1).

• The current standby peer DRPG is Frankfurt (region 2).

Figure 3.8: Showing the peer relationship from the global DRPG perspective

Task 4: Add members to the DR Protection Groups

Note: You should have already created the Autonomous Database Serverless with cross region Oracle Autonomous Data Guard with customer-managed keys enabled from Region 1 to Region 2. If not, create it as per the prerequisites.

Task 4.1: Add Members to DRPG in Region 1

1. Select the DRPG in Region 1 as shown in the following image.

   1. Ensure the OCI region context is Region 1 (London).
   2. Select the DRPG in Region 1.
   3. Select Members.
   4. Click Add Member to begin the process.

   
   Figure 4.1: How to begin adding members to DR protection group in region 1

2. Add autonomous database as member.

   1. Acknowledge warning about DR plans.
   2. Enter Compute as a member Autonomous database.
   3. Select the appdev as Autonomous database. This is the primary database.
   4. Select Full clone in Standby type for DR drill. This is super important, because the new feature of Autonomous Database Serverless customer-managed keys is applicable only if you select full clone. Selection of customer-managed keys is not avaiable for two clone options.
   5. Select atp-lon as Database password secret. This admin password will be used for creating the clone database during start drill.
   6. Select fsdr-vault-santhosh-lhr as Destination vault.
   7. Select suraj as Destination encryption key.
   8. Verify all the details and click Add.

   
   Figure 4.2: ADB-S Added to the DRPG in Region 1

With this, we have successfully added the required members to the DR Protection Group in Region 1.

Task 4.2: Add Members to DRPG in Region 2

1. Select the DRPG in Region 2 as shown in the following image.

   1. Ensure the OCI region context is Region 1 (Frankfurt).
   2. Select the DRPG in Region 2.
   3. Select Members.
   4. Click Add Member to begin the process.

   
   Figure 4.3: How to begin adding members to DR protection group in region 2

2. Add autonomous database as a member.

   1. Acknowledge warning about DR plans.
   2. Enter Compute as a member Autonomous database.
   3. Select appdev_FRA as Autonomous database. This is standby database.
   4. Select the Full clone in Standby type for DR drill. Note: This is important, because the new feature of Autonomous Database Serverless customer-managed keys is applicable only if you select full clone. Selection of customer-managed keys is not available for two clone options.
   5. Select atp-fra as Database password secret. This admin password will be used for creating the clone database during start drill.
   6. Select fsdr-vault-santhosh-lhr as Destination vault.
   7. Select suraj as Destination encryption key.
   8. Verify all the details and click Add.

   
   Figure 4.4: ADB-S Added to the DRPG in Region 2

With this, we have successfully added the required members to the DR Protection Group in Region 2.

Task 5: Create the Start Drill plan in Region 2

In this task, since the feature is relevant only for drill plans, we will create only start drill and stop drill plans.

OCI Full Stack DR will pre-populate these plans with built-in steps derived from the member resources added during the previous tasks. DR plans are always created within the protection group holding the standby role. Since Region 2 (Frankfurt) is currently the standby protection group, we will begin creating the plans there.

Task 5.1: Create Start Drill DR Plan

1. Create Start Drill plan by selecting the DRPG in Region 2 (Frankfurt).

   1. Ensure the OCI region context is Region 2 (Frankfurt).
   2. Select the standby DRPG in Region 2.
   3. Select Plans.
   4. Click Create Plan to begin the process.

   
   Figure 5.1: How to begin creating Start Drill plan in Region 2

2. Create a Start Drill plan.

   1. Enter a simple and meaningful Name for the start drill. The name should be as short as possible but easy to understand at a glance to help reduce confusion and human error during a crisis.
   2. Select Plan type as Start drill.
   3. Click Create.

   
   Figure 5.2: The parameters needed to create DR Start Drill plan

3. The standby DR protection group in Region 2 should now have Start Drill plan as shown in the following image. These will help to create full clone of the Autonomous Database Serverless in the Region 2 from the primary Autonomous Database Serverless running in Region 1.

   
   Figure 5.3: Showing the start DR plan that must exist in region 2 before proceeding any further

Task 6: Run the Prechecks and Start Drill plan in Region 2

The Start Drill plan created in Task 5 contains pre-populated steps for recovery tasks that are built into OCI Full Stack DR.

Verify the Start Drill plan.

Figure 6.1: Plan groups for the Start Drill plan

Task 6.1: Run Prechecks for the Start Drill plan

1. Ensure the region context is set to standby Region 2.
2. Ensure the correct DR protection group in Region 2 is selected, it should be the standby role.
3. Click the Start Drill plan name.
4. Click Run prechecks.

Figure 6.2: Showing how to run prechecks of the Start Drill plan

Figure 6.2: Showing a Completed prechecks of the Start Drill plan

Task 6.2: Run the Start Drill in Region 2

Run the start drill DR plan, this will create a new Autonomous Database Serverless with customer-managed keys in Region 2.

1. Ensure the region context is set to standby Region 2.

2. Ensure the correct DR protection group in Region 2 is selected, it should be the standby role.

3. Click the Start Drill plan name.

4. Click Execute plan.

5. Deselect Enable prechecks, since they were already executed in Task 6.1.

6. Click Execute DR plan to begin.

   
   Figure 6.3: Showing how to Run the Start Drill plan

   Monitor the Start Drill plan. The execution of the Start Drill plan was successfully completed in approximately 10 minutes.

   
   Figure 6.4: Showing a Completed Start Drill plan execution.

7. Let us validate the Autonomous Database Serverless database (appdev_DRDrillClone) which was used in Region 2. Navigate to Autonomous Database from the Oracle Database section. You can see, a full clone database is created and ready to use. You can also validate that the provided customer-managed keys in the OCI Full Stack DR member properties has been used.

   
   Figure 6.5: Showing Clone ADB is created.

8. Verify the DR protection group status. Since the Start Drill plan has been executed, the DR protection group status will show as Inactive (Drill in progress), to make it active you must run stop drill plan, which we do in our next task.

   
   Figure 6.6: Drill in progress in Region 2

   
   Figure 6.7: Drill in progress in Region 1

   Note: The roles of the protection group will change only for successful executions of switchover and failover DR plans.

Task 7: Create Stop Drill Plan in Region 2

Stop drill plan will terminate the Autonomous Database Serverless database that was created as part of the start drill execution.

1. Create stop drill plan by selecting the DRPG in Region 2 (Frankfurt).

   1. Ensure the OCI region context is Region 2 (Frankfurt).
   2. Select the standby DRPG in Region 2.
   3. Select Plans.
   4. Click Create Plan to begin the process.

   
   Figure 7.1: How to begin creating stop drill plan in Region 2

2. Create a stop drill plan.

   1. Enter a simple and meaningful Name for the stop drill.
   2. Select Plan type as Stop drill.
   3. Click Create.

   
   Figure 7.2: The parameters needed to create DR stop drill plan

3. The standby DR protection group in Region 2 should now have stop drill plan as shown in the following image. These will help to terminate the full clone which was created during the Start Drill plan execution.

   
   Figure 5.3: Showing the stop drill plan that must exist in region 2 before proceeding any further

Task 8: Run the Prechecks and Stop Drill Plan in Region 2

The stop drill plan created in Task 7 contains pre-populated steps for recovery tasks that are built into OCI Full Stack DR.

Verify the stop drill plan.

Figure 8.1: Plan groups for the Start Drill plan

Task 8.1: Run Prechecks for the Stop Drill Plan

1. Ensure the region context is set to standby Region 2.
2. Ensure the correct DR protection group in Region 2 is selected, it should be the standby role.
3. Click the stop drill plan name.
4. Click Run prechecks.

Figure 8.2: Showing how to run prechecks of the stop drill plan

Figure 8.3 Showing a Completed prechecks of the stop drill plan

Task 8.2: Run the Stop Drill in Region 2

Run the stop drill DR plan, this will terminate the Autonomous Database Serverless which was created in Start Drill plan execution.

1. Ensure the region context is set to standby Region 2.

2. Ensure the correct DR protection group in Region 2 is selected, it should be the standby role.

3. Click the stop drill plan name.

4. Click Execute plan.

5. Deselect Enable prechecks, since they were already executed in Task 8.1.

6. Click Execute DR plan to begin.

   
   Figure 8.3: Showing how to Run the stop drill plan

   Monitor the stop drill plan. The execution of the stop drill plan was successfully completed in approximately 3 minutes.

   
   Figure 8.4: Showing a Completed stop drill plan execution.

7. Let us validate the Autonomous Database Serverless database appdev_DRDrillClone which was terminated in Region 2. Navigate to Autonomous Database from the Oracle Database section. You can see a full clone database is terminated.

   
   Figure 8.5: Showing Clone ADB is terminated.

8. Verify the DR protection group status. Since the stop drill plan has been executed, the DR protection group status will show as Active. Now you can create other plans, run other DR plans which is a part of the protection group in Region 2.

   
   Figure 8.6: Active in Region 2

   
   Figure 8.7: Drill in progress in Region 1

   Note: The roles of the protection group will change only for successful executions of switchover and failover DR plans.

Related Links

• Using Customer-Managed Keys with Full Clone Option for Oracle Autonomous Database Serverless in DR Drill Plans

• Oracle Cloud Infrastructure Full Stack Disaster Recovery

• OCI Full Stack Disaster Recovery Documentation

• Provision or Clone an Autonomous Database

• Creating a Vault

• Join #full-stack-dr slack channel

Acknowledgments

• Author - Suraj Ramesh (Product Manager for OCI Full Stack DR)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Integrate Customer-Managed Keys with Full Clone Option for Oracle Autonomous Database Serverless in DR Drill Plans

G33285-01

Copyright ©2025, Oracle and/or its affiliates.