About Master Encryption Key Management on Autonomous Database

Autonomous Database provides two options for Transparent Data Encryption (TDE) to encrypt your database: Oracle-managed encryption keys and Customer-managed encryption keys.

Autonomous Database uses Transparent Data Encryption, including a TDE master key and TDE tablespace keys to encrypt data in the database. As shown in the following figure, the TDE master key generates and encrypts/decrypts the TDE tablespace keys, and the TDE tablespace keys encrypt the data files.

Oracle-Managed Master Encryption Keys on Autonomous Database

By default, Autonomous Database uses Oracle-managed encryption keys.

Using Oracle-managed keys, Autonomous Database creates and manages the encryption keys that protect your data and Oracle handles rotation of the TDE master key.

Customer-Managed Master Encryption Keys on Autonomous Database

With customer-managed master encryption keys, Autonomous Database uses the master encryption key in a customer-managed key vault to generate the TDE master key. If your organization's security policies require customer-managed encryption keys, you can configure Autonomous Database to use a master encryption key in the following key management systems:

Oracle Cloud Infrastructure (OCI) Vault
See Manage Master Encryption Keys in OCI Vault for more information.
Microsoft Azure Key Vault
See Manage Master Encryption Keys in Azure Key Vault for more information.
Amazon Web Services (AWS) Key Management Service (KMS)
See Manage Master Encryption Keys in AWS Key Management Service for more information.
Oracle Key Vault (OKV)
See Manage Master Encryption Keys in Oracle Key Vault for more information.

Parent topic: Manage Encryption Keys on Autonomous Database

Oracle Cloud Infrastructure Documentation