Rotate or Change the Custom Encryption Key
Each time you rotate your custom encryption key (or have to change to a different custom encryption key), you must update your Oracle Analytics Cloud instance. You can update the custom encryption key for an Oracle Analytics Cloud instance using the Console, API, or command line.
Each master encryption key is automatically assigned a key version. When you rotate a key, the Vault service generates a new key version. Periodically rotating keys limits the amount of data encrypted or signed by a single key version. If a key is ever compromised, key rotation reduces the risk. Each key’s unique identifier (OCID), remains the same across rotations, but the key version lets the Vault service seamlessly rotate keys to meet any security compliance requirements you might have. Although Oracle Analytics Cloud doesn't use an older key version for encryption after you rotate a key, older key versions remain available to decrypt any Oracle Analytics Cloud data that it previously encrypted.
Required IAM Policy
Verb: manage
Resource Type:
analytics-instance
,
analytics-instances
Custom Permission:
ANALYTICS_INSTANCE_MANAGE
See About Permissions to Manage Oracle Analytics Cloud Instances.
Verb: use
Resource Type:
key-delegate
Verb: read
Resource Type: vaults
,
keys