Manage Master Encryption Keys in Azure Key Vault

Autonomous Database supports customer-managed Transparent Data Encryption (TDE) keys that reside in Azure Key Vault.

Prerequisites to Use Customer-Managed Encryption Keys in Azure Key Vault

Describes prerequisite steps to use customer-managed master encryption keys on Autonomous Database that reside in Azure Key Vault.

Limitations:
  • Azure Key Vault is only supported in commercial regions.
  • Cross-tenancy access, where the Autonomous Database instance and the Azure Key Vault are in different tenancies, is not supported.
  • Azure Key Vault is not supported in cross-region standbys.
  • Azure Key Vault is not supported in refreshable clones.

Follow these steps:

  1. Create an Autonomous Database instance that uses the default Encryption key setting of Encrypt using an Oracle-managed key. See Provision an Autonomous Database Instance for more information.
    Note

    Encryption key settings for customer-managed keys in Azure Key Vault are not available during the creation process. The options are available post provisioning, when editing the instance.
  2. Create an Azure Key Vault with a Transparent Data Encryption (TDE) master key.

    See About Azure Key Vault for more information.

  3. Enable Azure service principal authentication with the Azure Directory tenant_id to allow your Autonomous Database instance access to the Azure Key Vault.
    1. Obtain your Microsoft Azure Active Directory tenant ID.
    2. Connect to your instance as ADMIN.
    3. Enable Azure service principal with DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH. The value of azure_tenantid is the Azure Directory ID you obtained in the previous step.
      For example:
      BEGIN
       DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
               provider => 'AZURE',
               params   => JSON_OBJECT('azure_tenantid' value 'azure_directoryID'));
       END;
       /

      This enables Azure service principal authentication and creates an Azure application for Autonomous Database on the Azure portal. See Enable Azure Service Principal for more information.

  4. Provide the Azure application consent to access Azure resources from Autonomous Database.
    1. On Autonomous Database query CLOUD_INTEGRATIONS.

      For example:

      SELECT * FROM CLOUD_INTEGRATIONS;
      
      PARAM_NAME        PARAM_VALUE
      --------------- ------------------------------------------------------------------------------------------------------------------------------------------
      azure_tenantid    29...eb
      azure_consent_url https://login.microsoftonline.com/f8...5a/oauth2/v2.0/authorize?client_id=d4f5...d5&response_type=code&scope=User.read
      azure_app_name    ADBS_APP_OCID1.AUTONOMOUSDATABASE...

      The view CLOUD_INTEGRATIONS is available to the ADMIN user or to a user with DWROLE role.

    2. In a browser, open the Azure consent URL specified by the azure_consent_url parameter.

      For example, copy the azure_consent_url from the query results and enter the URL into your browser:

      https://login.microsoftonline.com/f8...5a/oauth2/v2.0/authorize?client_id=d4f5...d5&response_type=code&scope=User.read

      The Permissions requested page opens and shows a consent request, similar to the following:

      Description of azure_consent.png follows
  5. Obtain the Azure application name.
    1. On Autonomous Database query CLOUD_INTEGRATIONS.

      For example:

      SELECT * FROM CLOUD_INTEGRATIONS;
    2. Copy the client_id value included in the consent_url.
      PARAM_NAME        PARAM_VALUE
      --------------- ------------------------------------------------------------------------------------------------------------------------------------------
      azure_tenantid    29...eb
      azure_consent_url https://login.microsoftonline.com/f8...5a/oauth2/v2.0/authorize?client_id=d4f5...d5&response_type=code&scope=User.read
      azure_app_name    ADBS_APP_OCID1.AUTONOMOUSDATABASE...
    3. Search on the client_id in the Azure portal. The application ID is displayed under Microsoft Entra ID.


      Description of sec_az_app_name.png follows

    4. Copy the application ID. This value is used in subsequent steps to allow this application access to keys in the Azure Key Vault.
  6. Assign necessary roles for the Azure application to access the Azure Key Vault.
    1. In the Azure portal, navigate to the Access policies for the Azure Key Vault.

      The list of applications with access to this vault are displayed.

    2. On the Access policies page, click + Create to create an access policy for the application to access this key vault.


      Description of sec_az_acc_pol.png follows

    3. For Permissions on the Create an access policy page, select all Key permissions, including: Key Management Operations, Cryptography Operations, Privileged Key Operations, and Rotation Policy Operations and click Next.
    4. For Principal, search the application name.
    5. Select the displayed application name and click Next.
    6. For Application (optional), select Next.
    7. For Review + create, review the policy details and click Create.


      Description of sec_az_create_pol.png follows

    8. On the Azure Key Vault details page, click Refresh and search for the application name. It is included in the displayed list of applications with permission to access keys in this Azure Key Vault.

    See Assign a Key Vault access Policy for more information.

Use Customer-Managed Encryption Keys on Autonomous Database with Azure Key Vault

Shows the steps to encrypt your Autonomous Database using customer-managed master encryption keys that reside in Azure Key Vault.

Follow these steps:

  1. Perform the required customer-managed master key prerequisite steps. See Prerequisites to Use Customer-Managed Encryption Keys in Azure Key Vault.
  2. On the Details page, from the More actions drop-down list, select Manage encryption key.
    Note

    If you are already using customer-managed Transparent Data Encryption (TDE) keys stored in Azure Key Vault and you want to rotate the keys, follow these steps and select a different key (select a key that is different from the currently selected master TDE key).

  3. On the Manage encryption key page, select Encrypt using a customer-managed key.
  4. From the Key type drop-down, select Microsoft Azure.


    Description of sec_azure.png follows

  5. In the Vault URI field, enter the Azure Vault URI.
    1. In the Azure portal, navigate to the Azure Key Vault.
    2. Select the Azure Key Vault Overview page and copy the displayed Vault URI.


      Description of sec_az_vault_uri.png follows

    3. Enter the copied Azure Vault URI into the Vault URI field in the Autonomous Database Manage encryption key page.
  6. In the Key name field, enter the name of the Azure Key Name.
    1. In the Azure portal, navigate to the Azure Key Vault and select Keys. A list of keys for this vault is displayed.
    2. From the list of displayed keys, copy the Key Name you want to use.


      Description of sec_az_key_name.png follows

    3. Enter the copied Azure key name into the Key name field in the Autonomous Database Manage encryption key page.
  7. Click Save.

The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.

After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key is Customer-managed key (Microsoft Azure), and displays the Vault URI and Key name.

For example:
Description of sec_az_results.png follows