Use Customer-Managed Encryption Key Located in a Remote Tenancy

Shows the steps to select customer-managed master encryption keys from a Vault on a remote tenancy.

When you use customer-managed master encryption keys with a Vault in a remote tenancy, the Vault and the Autonomous AI Database instance must be in the same region. To change the tenancy, on the sign-on page click Change tenancy. After you change the tenancy, make sure to select the same region for both the Vault and the Autonomous AI Database instance.

1. Perform the required customer-managed encryption key prerequisite steps as necessary. See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous AI Database in OCI Vault for more information.
2. On the Details page, from the More actions drop-down list, select Manage encryption key.
3. On the Manage encryption key page, select the Encrypt using a customer-managed key option.

   If you are already using customer-managed keys and you want to rotate the TDE keys, follow these steps and use a different key OCID with the same vault OCID, or use a new vault OCID and a new key OCID. This lets you use a key that is different from the current master encryption key.

4. For Key type, select Oracle.
5. For Key location, click Different tenancy.
6. Enter a remote tenancy vault OCID.
7. Enter a remote tenancy master encryption key OCID.
   
   

   
   Description of the illustration adb_switch_master_key_remote.png

   
   
8. Click Save.

The Lifecycle state changes to Updating. When the request completes, the Lifecycle state shows Available.

After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.

• Use Bring Your Own Keys (BYOK) in Vault Service
  When you create a customer-managed key using the OCI Vault service, you can also import your own key material (Bring Your Own Key or BYOK) instead of having the Vault service generate the key material internally.

Use Bring Your Own Keys (BYOK) in Vault Service

When you create a customer-managed key using the OCI Vault service, you can also import your own key material (Bring Your Own Key or BYOK) instead of having the Vault service generate the key material internally.

Before you can bring your own keys into the Vault service, you must perform number of preparatory configuration tasks to create a vault and import the master encryption key and then make that vault and its keys available to Autonomous Database; specifically:

1. Create a vault in the Vault service by following the instructions in To create a new vault.
   After creating the vault, you can create at least one master encryption key in the vault by following the instructions in To create a new master encryption key. You can also import a customer encryption key into an existing vault. When following these instructions, make these choices:

   • Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
   • Protection Mode: Choose an appropriate value from the drop-down list:
     • HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
     • Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
   • Key Shape Algorithm: AES
   • Key Shape Length: 256 bits
   • Import External Key: To use a customer encryption key (BYOK), select Import External Key and provide the following details:
     • Wrapping Key Information. This section is read-only, but you can view the public wrapping key details.
     • Wrapping Algorithm. Select a wrapping algorithm from the drop-down list.
     • External Key Data Source. Upload the file that contains the wrapped RSA key material.

   Note:

   You can either import the key material as a new external key version or click the name of an existing master encryption key and rotate it to a new key version.
2. Use the IAM service to create a dynamic group and define a policy that gives your Autonomous AI Database instance access to the master encryption key you created.

See Importing Key Material as an External Key Version for more details.