Before you can bring your own keys into the Vault service, you must perform number of preparatory configuration tasks to create a vault and import the master encryption key and then make that vault and its keys available to Autonomous Database; specifically:

1. Create a vault in the Vault service by following the instructions in To create a new vault in Oracle Cloud Infrastructure Documentation. When following these instructions, Oracle recommends that you create the vault in a compartment created specifically to contain the vaults containing customer-managed keys, as described in Compartment Hierarchy Best Practice.
   After creating the vault, you can create at least one master encryption key in the vault by following the instructions in To create a new master encryption key in Oracle Cloud Infrastructure Documentation. You can also import a customer encryption key into an existing vault. When following these instructions, make these choices:

   • Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
   • Protection Mode: Choose an appropriate value from the drop-down list:
     • HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
     • Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
   • Key Shape Algorithm: AES
   • Key Shape Length: 256 bits
   • Import External Key: To use a customer encryption key (BYOK), select Import External Key and provide the following details:
     • Wrapping Key Information. This section is read-only, but you can view the public wrapping key details.
     • Wrapping Algorithm. Select a wrapping algorithm from the drop-down list.
     • External Key Data Source. Upload the file that contains the wrapped RSA key material.

   Note
   
   You can either import the key material as a new external key version or click the name of an existing master encryption key and rotate it to a new key version.

   Refer to Importing Key Material as an External Key Version for more details.

2. Use the Networking service to Create a Service Gateway, a Route Rule and an Egress Security Rule to the VCN (Virtual Cloud Network) and subnets where your Autonomous Database resources reside.
3. Use the IAM service to Create a Dynamic Group identifying your Autonomous Database resources and a policy statement granting that dynamic group access to the master encryption keys you created.

In OCI EKMS, you can store and control master encryption keys (as external keys) on a third-party key management system hosted outside OCI. You can use this for enhanced data security or if you have regulatory compliance to store keys outside Oracle Public Cloud or any third-party cloud premises. With the actual keys residing in the third-party key management system, you create only key references in OCI.

1. You can create and manage a vault that holds key references in OCI EKMS. You can use the keys from OCI EKMS with Autonomous Database on Dedicated Exadata Infrastructure deployed on Oracle Public Cloud. See Creating a vault in OCI EKMS for more details. When following these instructions, make these choices:
   • Create in Compartment: Select a compartment for the OCI EKMS vault.
   • IDCS Account Name URL: Enter the authentication URL that you use to access the KMS service. The Console redirects to a sign in screen.
   • Key Management Vendor: Select a third-party vendor that deploys key management service. For now, OCI KMS supports only Thales as the external key management vendor.
   • Client application ID: Enter the OCI KMS client ID generated when you register the confidential client application in Oracle Identity Domain.
   • Client application secret: Enter the Secret ID of the confidential client application registered in the Oracle Identity Domain.
   • Private endpoint in compartment: Select the private endpoint GUID of the external key management.
   • External Vault URL: Enter the vault URL that was generated when you created vault in external key management.
2. Use the Networking service to Create a Service Gateway, a Route Rule and an Egress Security Rule to the VCN (Virtual Cloud Network) and subnets where your Autonomous Database resources reside.
3. Use the IAM service to Create a Dynamic Group identifying your Autonomous Database resources and a policy statement granting that dynamic group access to the master encryption keys you created.

After creating the service gateway, add a route rule and an egress security rule to each subnet (in the VCN) where Autonomous Database resources reside so that these resources can use the gateway to access the Vault service:

1. Go to the Subnet Details page for the subnet.
2. In the Subnet Information tab, click the name of the subnet's Route Table to display its Route Table Details page.
3. In the table of existing Route Rules, check whether there is already a rule with the following characteristics:
   • Destination: All IAD Services In Oracle Services Network
   • Target Type: Service Gateway
   • Target: The name of the service gateway you just created in the VCN

   If such a rule does not exist, click Add Route Rules and add a route rule with these characteristics.

4. Return to the Subnet Details page for the subnet.
5. In the subnet's Security Lists table, click the name of the subnet's security list to display its Security List Details page.
6. In the side menu, under Resources, click Egress Rules.
7. In the table of existing Egress Rules, check whether there is already a rule with the following characteristics:
   • Stateless: No
   • Destination: All IAD Services In Oracle Services Network
   • IP Protocol: TCP
   • Source Port Range: All
   • Destination Port Range: 443

   If such a rule does not exist, click Add Egress Rules and add an egress rule with these characteristics.

When defining the dynamic group, you identify your Autonomous Database resources by specifying the OCID of the compartment containing your Exadata Infrastructure resource.

1. Copy the OCID of the compartment containing your Exadata Infrastructure resource. You can find this OCID on the Compartment Details page of the compartment.
2. Create a dynamic group by following the instructions in To create a dynamic group in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:

   ALL {resource.compartment.id ='<compartment-ocid>'}

   where <compartment-ocid> is the OCID of the compartment containing your Autonomous Exadata VM Cluster resource.

After creating the dynamic group, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your vaults and keys. Then, add a policy statement of this format:

allow dynamic-group <dynamic-group-name>
to manage keys
in compartment <vaults-and-keys-compartment>
where all {
target.key.id='<key_ocid>',
request.permission!='KEY_MOVE',
request.permission!='KEY_IMPORT'
}

If you are using a replicated virtual vault or replicated virtual private vault for the Autonomous Data Guard deployment, add an additional policy statement of this format:

allow dynamic-group <dynamic-group>
to read vaults
in tenancy | compartment <vaults-and-keys-compartment>