Use Customer-Managed Encryption Keys with Vault Located in Local Tenancy

Shows the steps to select customer-managed master encryption keys on Autonomous Database. If you are using customer-managed master encryption keys, follow these steps to rotate the master keys.

Caution:

The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to the database host. If the customer-managed encryption key is disabled or deleted, the database will be inaccessible.

For details on using customer-managed keys where the Vault is located in a remote tenancy, see Use Customer-Managed Encryption Key Located in a Remote Tenancy.

On Autonomous Database you can choose customer-managed keys as follows:

  • While provisioning, under Advanced Options, on the Encryption Key tab.

  • While cloning, under Advanced Options, on the Encryption Key tab

Follow these steps if your Autonomous Database is using Oracle-managed keys and you want to switch to customer-managed encryption keys with the vault in the local tenancy, or if you are using customer-managed encryption keys and you want to rotate the master key.

  1. Perform the required customer-managed encryption key prerequisite steps as necessary. See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database in OCI Vault for more information.
  2. On the Details page, from the More actions drop-down list, select Manage encryption key.
  3. On the Manage encryption key page, select Encrypt using customer-managed key.

    If you are already using customer-managed keys and you want to rotate the TDE keys, follow these steps and select a different key (select a key that is different from the currently selected master encryption key).

  4. For Key type, select Oracle.
  5. For Key location, click This tenancy.
  6. Select a Vault.

    Click Change compartment to select a vault in a different compartment.

  7. Select a Master encryption key.

    Click Change Compartment to select a master encryption key in a different compartment.

    Description of adb_switch_master_key.png follows

    When cross-region Autonomous Data Guard is enabled the Vault and Master encryption key values show the keys that are replicated in both the primary and the remote standby region.

  8. Click Save.

The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.

After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.