Use Customer-Managed Encryption Key Located in a Remote Tenancy

Shows the steps to select customer-managed master encryption keys from a Vault on a remote tenancy.

When you use customer-managed master encryption keys with a Vault in a remote tenancy, the Vault and the Autonomous Database instance must be in the same region. To change the tenancy, on the sign-on page click Change tenancy. After you change the tenancy, make sure to select the same region for both the Vault and the Autonomous Database instance.

  1. Perform the required customer-managed encryption key prerequisite steps as necessary. See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database in OCI Vault for more information.
  2. On the Details page, from the More actions drop-down list, select Manage encryption key.
  3. On the Manage encryption key page, select the Encrypt using a customer-managed key option.

    If you are already using customer-managed keys and you want to rotate the TDE keys, follow these steps and use a different key OCID with the same vault OCID, or use a new vault OCID and a new key OCID. This lets you use a key that is different from the current master encryption key.

  4. For Key type, select Oracle.
  5. For Key location, click Different tenancy.
  6. Enter a remote tenancy vault OCID.
  7. Enter a remote tenancy master encryption key OCID.

    Description of adb_switch_master_key_remote.png follows

  8. Click Save.

The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.

After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.