Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database
Perform these prerequisite steps to use customer-managed keys on Autonomous Database:
You must replicate the vault and keys to use customer-managed encryption keys with Autonomous Data Guard with a remote Standby database. Replication of vaults and keys across regions is only possible if you select the virtual private vault option when you create the vault.
See Autonomous Data Guard with Customer Managed Keys for more information.
- Create Dynamic Group and Policies for Customer Managed Keys with Vault in Same Tenancy as Database
Create dynamic group and policies to provide access to the vault and keys for customer-managed keys when the vault and keys are in the same tenancy as the Autonomous Database instance. - Create Dynamic Group and Policies for Customer Managed Keys with Vault in Different Tenancy than the Database
Perform these steps to use customer-managed keys when the Autonomous Database instance and vaults and keys are in different tenancies.
Parent topic: Manage Encryption Keys on Autonomous Database
Create Dynamic Group and Policies for Customer Managed Keys with Vault in Same Tenancy as Database
Create dynamic group and policies to provide access to the vault and keys for customer-managed keys when the vault and keys are in the same tenancy as the Autonomous Database instance.
Create Dynamic Group and Policies for Customer Managed Keys with Vault in Different Tenancy than the Database
Perform these steps to use customer-managed keys when the Autonomous Database instance and vaults and keys are in different tenancies.
In this case, you need to supply OCID values when you change to customer-managed keys. In addition, you need to define dynamic groups and policies that allow the Autonomous Database instance to use vaults and keys in a different tenancy.
- Copy the master encryption key OCID.
- Copy the vault OCID.
- Copy the tenancy OCID (the remote tenancy that contains vaults and keys).
- On the tenancy with the Autonomous Database instance, create a dynamic
group.
- On the tenancy with the Autonomous Database instance, define the
policies to allow access to vaults and keys (where the
vaults and keys are on a different tenancy).
- Copy the tenancy OCID (the tenancy that contains the Autonomous Database instance).
- Copy the Dynamic Group OCID (for the Dynamic Group you created in Step 4).
- On the remote tenancy with vaults and keys, define a dynamic
group and policies to allow the Autonomous Database instance to access vaults and
keys.