Managing Encryption Keys on External Devices
Learn how to store and manage database encryption keys.
There are two options to store and manage database encryption keys for your databases on Oracle Exadata Database Service on Cloud@Customer:
- In an auto-login wallet file stored in an Oracle Advanced Cluster File System (Oracle ACFS) accessible by the customer VM operating system.
- Oracle Key Vault.
- Customer-Managed Keys in Oracle Exadata Database Service on Cloud@Customer
Customer-managed keys for Oracle Exadata Database Service on Cloud@Customer is a feature that enables you to migrate the Oracle Database TDE Master Encryption Key for an Oracle Database from the password-protected wallet file stored on the Oracle Exadata Database Service on Cloud@Customer equipment to an OKV server that you control. - About Oracle Key Vault
Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise. - Overview of Key Store
Integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises. - Required IAM Policy for Managing OKV on Oracle Exadata Database Service on Cloud@Customer
Review the identity access management (IAM) policy for managing OKV on Oracle Exadata Database Service on Cloud@Customer Systems. - Tagging Resources
You can apply tags to your resources to help you organize them according to your business needs. - Moving Resources to a Different Compartment
You can move OKV Vault, Secret, and Keystore resources from one compartment to another. - Setting Up Your Oracle Exadata Database Service on Cloud@Customer to Work With Oracle Key Vault
- Managing Your Key Store
- Administer Transparent Data Encryption (TDE) Keys
Use this procedure to change the encryption management configuration or rotate the TDE key. - How to Manually Clone a Pluggable Database (PDB) from a Remote Container Database (CDB) When Data is Encrypted with Master Encryption Key (MEK) in Oracle Key Vault (OKV)
- How to Upgrade Oracle Key Vault (OKV) Home in ExaDB-C@C
Parent topic: How-to Guides
Customer-Managed Keys in Oracle Exadata Database Service on Cloud@Customer
Customer-managed keys for Oracle Exadata Database Service on Cloud@Customer is a feature that enables you to migrate the Oracle Database TDE Master Encryption Key for an Oracle Database from the password-protected wallet file stored on the Oracle Exadata Database Service on Cloud@Customer equipment to an OKV server that you control.
The Oracle Key Vault (OKV) provides fault-tolerant, highly available and scalable key and secrets management for your encrypted ExaDB-C@C databases. Use customer-managed keys when you need security governance, regulatory compliance, and homogenous encryption of data, while centrally managing, storing, and monitoring the life cycle of the keys you use to protect your data.
You can:
- Switch from Oracle-managed keys to customer-managed keys on databases that are not enabled with Oracle Data Guard.
- Rotate your keys to maintain security compliance.
- Rotating the PDB key is also supported. Rotate CDB and PDB key operations are allowed only if the database is customer-managed.
Requirements
- To enable the management of customer-managed encryption keys, you must create a policy in the tenancy that allows a particular dynamic group to do so. For more information, see Setting Up Your Oracle Exadata Database Service on Cloud@Customer to Work With Oracle Key Vault.
- Pluggable databases must be configured in United Mode. For more information about United
Mode, see Managing Keystores and TDE Master Encryption Keys in United
Mode.
Isolated Mode is not supported. For more information about Isolated Mode, see Managing Keystores and TDE Master Encryption Keys in Isolated Mode
- If an Exadata Database Service was configured for Oracle Key Vault using the procedures published at Migration of File based TDE to OKV for Exadata Database Service on Cloud at Customer Gen2 (Doc ID 2823650.1), then you should open a My Oracle Support (MOS) Service Request to have Oracle cloud operations update the control plane configuration to reflect the Oracle Key Vault information for the the specific Exadata Database service
Parent topic: Managing Encryption Keys on External Devices
About Oracle Key Vault
Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise.
The Oracle Key Vault is a customer-provisioned and managed system and it is not part of Oracle Cloud Infrastructure managed services.
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Overview of Key Store
Integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises.
Oracle Key Vault integration enables you to take complete control of your encryption keys and store them securely on an external, centralized key management device.
OKV is optimized for Oracle wallets, Java keystores, and Oracle Advanced Security Transparent Data Encryption (TDE) master keys. Oracle Key Vault supports the OASIS KMIP standard. The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability, and scalability, and can be deployed on your choice of compatible hardware.
OKV also provides a REST interface for clients to auto-enroll endpoints and setup wallets and keys. For Autonomous Databases on Exadata Cloud@Customer to connect to OKV REST interface, create a key store in your tenancy to store the IP address and administrator credentials of your OKV. Exadata Cloud@Customer temporarily stores the OKV REST user administrator password required to connect to the OKV appliance in a password-protected wallet file so that the software running in the customer VM can connect to the OKV server. Following the migration of the TDE keys to OKV, the cloud automation software will remove the password from the wallet file. Ensure that you create a secret with Oracle's Vault Service, which will store the password required for autonomous databases to connect to OKV for key management.
For more information, see "Oracle Key Vault".
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Required IAM Policy for Managing OKV on Oracle Exadata Database Service on Cloud@Customer
Review the identity access management (IAM) policy for managing OKV on Oracle Exadata Database Service on Cloud@Customer Systems.
A policy is an IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it), and to mean the overall body of policies your organization uses to control access to resources.
A compartment is a collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization.
To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy written by an administrator, whether you're using the Console, or the REST API with a software development kit (SDK), a command-line interface (CLI), or some other tool. If you try to perform an action, and receive a message that you don’t have permission, or are unauthorized, then confirm with your administrator the type of access you've been granted, and which compartment you should work in.
For administrators: The policy in "Let database admins manage DB systems" lets the specified group do everything with databases and related database resources.
If you're new to policies, then see "Getting Started with Policies" and "Common Policies". If you want to dig deeper into writing policies for databases, then see "Details for the Database Service".
Tagging Resources
You can apply tags to your resources to help you organize them according to your business needs.
You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see "Resource Tags".
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Moving Resources to a Different Compartment
You can move OKV Vault, Secret, and Keystore resources from one compartment to another.
After you move an OCI resource to a new compartment, inherent policies apply immediately and affect access to the resource. Moving an OKV Vault resource doesn't affect access to any OKV Vault Keys or OKV Vault Secrets that the OKV Vault contains. You can move an OKV Vault Keys or OKV Vault Secrets from one compartment to another independently of moving the OKV Vault it's associated with. For more information, see Managing Compartments.
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Setting Up Your Oracle Exadata Database Service on Cloud@Customer to Work With Oracle Key Vault
- Ensure that OKV is set up and the network is accessible from the Exadata client network. Open ports 443, 5695, and 5696 for egress on the client network for the OKV client software and Oracle database instance to access the OKV server.
- Ensure that the REST interface is enabled from the OKV user interface.
- Create "OKV REST Administrator" user.
You can use any qualified username of your choice, for example, "okv_rest_user". For ADB-C@C and ExaDB-C@C, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. ExaDB-C@C needs REST user with
create endpoint
privilege. ADB-C@C needs REST user withcreate endpoint
andcreate endpoint group
privileges. - Gather OKV administrator credentials and IP address, which is required to connect to OKV.
For more information, see Network Port Requirements, Managing Oracle Key Vault Users, and Managing Administrative Roles and User Privileges
- Step 1: Create a Vault in OKV Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password
- Step 2: Create a Dynamic Group and a Policy Statement for Key Store to Access Secret in OKV Vault
- Step 3: Create a Dynamic Group and a Policy Statement for Exadata Infrastructure to Key Store
- Step 4: Create a Policy Statement for Database Service to Use Secret from OKV Vault Service
- Step 5: Create Key Store
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Step 1: Create a Vault in OKV Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password
Your Exadata Cloud@Customer infrastructure communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server.
These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Exadata Cloud@Customer infrastructure only when needed. When needed, the credentials are stored in a password-protected wallet file.
To store the OKV administrator password in the OKV Vault service, create a vault by following the instructions outlined in Managing Vaults and create a Secret in that vault by following the instructions outlined in Managing Secrets.
Step 2: Create a Dynamic Group and a Policy Statement for Key Store to Access Secret in OKV Vault
To grant your Key Store resources permission to access Secret in OKV Vault, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Secret you created in the OKV Vaults and Secrets.
When defining the dynamic group, you identify your Key Store resources by specifying the OCID of the compartment containing your Key Store.
Related Topics
Step 3: Create a Dynamic Group and a Policy Statement for Exadata Infrastructure to Key Store
To grant your Exadata infrastructure resources permission to access Key Store, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Key Store you created.
When defining the dynamic group, you identify your Exadata infrastructure resources by specifying the OCID of the compartment containing your Exadata infrastructure.
Step 4: Create a Policy Statement for Database Service to Use Secret from OKV Vault Service
allow service database to read secret-family in compartment <vaults-and-secrets-compartment>
where <vaults-and-secrets-compartment> is the name of the compartment in which you created your OKV Vaults and Secrets.
Once the OKV Vault is set up and the IAM configuration is in place, you are now ready to deploy your Oracle Key Vault 'Key Store' in OCI and associate it with your Exadata Cloud@Customer VM Cluster.
Managing Your Key Store
- View Key Store Details
Follow these steps to view Key Store details that include Oracle Key Vault (OKV) connection details and the list of associated databases. - Edit Key Store Details
You can edit a Key Store only if it is not associated with any CDBs. - Move a Key Store to Another Compartment
Follow these steps to move a Key Store on an Oracle Exadata Database Service on Cloud@Customer system from one compartment to another compartment. - Delete a Key Store
You can delete a Key Store only if it is not associated with any CDBs. - View Key Store Associated Container Database Details
Follow these steps to view details of the container database associated with a Key Store. - Using the API to Manage Key Store
Learn how to use the API to manage key store.
Parent topic: Managing Encryption Keys on External Devices
View Key Store Details
Follow these steps to view Key Store details that include Oracle Key Vault (OKV) connection details and the list of associated databases.
Parent topic: Managing Your Key Store
Edit Key Store Details
You can edit a Key Store only if it is not associated with any CDBs.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Edit.
- On the Edit Key Store page, make changes as needed, and then click Save Changes.
Parent topic: Managing Your Key Store
Move a Key Store to Another Compartment
Follow these steps to move a Key Store on an Oracle Exadata Database Service on Cloud@Customer system from one compartment to another compartment.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Move Resource.
- On the Move Resource to a Different Compartment page, select the new compartment.
- Click Move Resource.
Parent topic: Managing Your Key Store
Delete a Key Store
You can delete a Key Store only if it is not associated with any CDBs.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Delete.
- On the Delete Key Store dialog, click Delete.
Parent topic: Managing Your Key Store
View Key Store Associated Container Database Details
Follow these steps to view details of the container database associated with a Key Store.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- In the resulting Key Stores page, click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- Click the name of the associated database or click the Actions icon (three dots), and then click View Details.
Parent topic: Managing Your Key Store
Using the API to Manage Key Store
Learn how to use the API to manage key store.
For information about using the API and signing requests, see "REST APIs" and "Security Credentials". For information about SDKs, see "Software Development Kits and Command Line Interface".
The following table lists the REST API endpoints to manage key store.
Operation | REST API Endpoint |
---|---|
Create OKV Key Store |
|
View OKV Key Store |
|
Update OKV Key Store |
|
Delete OKV Key Store |
|
Change Key store compartment |
|
Choose between customer-managed and Oracle-managed encryption |
|
Get the Key Store (OKV or Oracle-managed) and OKV wallet name |
|
Change Key store type |
|
Rotate OKV and Oracle-managed key |
|
Parent topic: Managing Your Key Store
Administer Transparent Data Encryption (TDE) Keys
Use this procedure to change the encryption management configuration or rotate the TDE key.
After you provision a database in an ExaDB-C@C system, you can change the encryption key management to OKV and rotate the TDE key for that database.
- Oracle supports administering encryption keys on databases after and including Oracle Database 11g release 2 (11.2.0.4).
- You can change encryption key management from Oracle-managed keys to customer-managed keys but you cannot change from customer-managed keys to Oracle-managed keys.
- When you change to customer-managed keys on OKV, the database will experience a shutdown abort operation followed by a restart. Plan to perform the migration to customer-managed keys on OKV in a planned maintenance window.
- To ensure that your Exadata database uses the most current version of the TDE key, rotate the key from the database details page on the Oracle Cloud Infrastructure Console. Do not use the Vault service.
- You can rotate TDE keys only on databases that are configured with customer-managed keys.
- You cannot rotate an encryption key:
- when a database restore is in progress in a given Oracle Home.
- when a database patching or database home patching is in progress.
- Migration of TDE keys to Oracle Key Vault (OKV) requires 10 minutes of downtime. During the migration, the database state will be UPDATING and connections may fail due to multiple database restarts to enable OKV. Applications can resume operation after the migration completes and when the database returns to its original ACTIVE state.
- The OKV keystore password will be set to the TDE wallet password.
Caution:
After changing key management to customer-managed keys, deleting the key from the OKV will cause the database to become unavailable.
On the database details page for this database, the Encryption section displays the encryption key name and the encryption key OCID.
Related Topics
Parent topic: Managing Encryption Keys on External Devices
How to Manually Clone a Pluggable Database (PDB) from a Remote Container Database (CDB) When Data is Encrypted with Master Encryption Key (MEK) in Oracle Key Vault (OKV)
The dbaascli tool lets you clone PDBs when the source CDB and target CDB are the same (local clone) or if they are different (remote clone). However, you cannot clone a remote PDB if the data is encrypted with a MEK in OKV.
To decrypt / encrypt the data during a remote clone, the container database must have access to MEK. The MEK must be made available to the target CDB when it is stored in the OKV server.
- Source CDB and Target CDB are Encrypted with MEK in the Same OKV Server
- Source CDB and Target CDB are Encrypted with MEK in a Different OKV Server
Related Topics
Parent topic: Managing Encryption Keys on External Devices
How to Upgrade Oracle Key Vault (OKV) Home in ExaDB-C@C
After the encryption type is migrated from Oracle Managed Keys to Customer Managed Keys (Oracle Key Vault), the OKV home in the DomUs remains with the same version used for the migration.
In case the OKV Server is upgraded the functionality would keep working because of backward compatibility. However, the customer might want to get the new features for the client tools. In that case, upgrade the OKV home and the PKCS#11
Library.
Parent topic: Managing Encryption Keys on External Devices