Use Customer-Managed Encryption Keys with Vault Located in Local Tenancy
Shows the steps to select customer-managed master encryption keys on Autonomous Database. If you are using customer-managed master encryption keys, follow these steps to rotate the master keys.
Caution:
The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to the database host. If the customer-managed encryption key is disabled or deleted, the database will be inaccessible.For details on using customer-managed keys where the Vault is located in a remote tenancy, see Use Customer-Managed Encryption Key Located in a Remote Tenancy.
On Autonomous Database you can choose customer-managed keys as follows:
-
While provisioning, under Advanced Options, on the Encryption Key tab.
-
While cloning, under Advanced Options, on the Encryption Key tab
Follow these steps if your Autonomous Database is using Oracle-managed keys and you want to switch to customer-managed encryption keys with the vault in the local tenancy, or if you are using customer-managed encryption keys and you want to rotate the master key.
- Select a Master encryption key.
Click Change Compartment to select a master encryption key in a different compartment.
When cross-region Autonomous Data Guard is enabled the Vault and Master encryption key values show the keys that are replicated in both the primary and the remote standby region.
The Lifecycle State changes to Updating. When the request completes, the Lifecycle State shows Available.
After the request completes, on the Oracle Cloud Infrastructure Console, the key information shows on the Autonomous Database Information page under the heading Encryption. This area shows the Encryption Key field with a link to the Master Encryption Key and the Encryption Key OCID field with the Master Encryption Key OCID.
See Notes for Using Customer-Managed Keys with Autonomous Database for more information.
Parent topic: Manage Master Encryption Keys in OCI Vault