Rotate or Change the Custom Encryption Key

Each time you rotate your custom encryption key (or have to change to a different custom encryption key), you must update your Oracle Analytics Cloud instance. You can update the custom encryption key for an Oracle Analytics Cloud instance using the Console, API, or command line.

Each master encryption key is automatically assigned a key version. When you rotate a key, the Vault service generates a new key version. Periodically rotating keys limits the amount of data encrypted or signed by a single key version. If a key is ever compromised, key rotation reduces the risk. Each key’s unique identifier (OCID), remains the same across rotations, but the key version lets the Vault service seamlessly rotate keys to meet any security compliance requirements you might have. Although Oracle Analytics Cloud doesn't use an older key version for encryption after you rotate a key, older key versions remain available to decrypt any Oracle Analytics Cloud data that it previously encrypted.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: use

Resource Type: key-delegate

Verb: read

Resource Type: vaults, keys

See Prerequisites for Custom Encryption.