Master Encryption Keys in Autonomous Database on Dedicated Exadata Infrastructure
By default, Autonomous Database on Dedicated Exadata Infrastructure creates and manages all the master encryption keys used to protect your data, storing them in a secure PKCS 12 keystore on the same Exadata systems where the databases reside.
If your company security policies require, Oracle Autonomous Database on Dedicated Exadata Infrastructure can instead use keys you create and manage using Oracle Key Store. For Oracle Public Cloud deployments, you can also use the Oracle Cloud Infrastructure Vault service to create and manage keys.
Caution:
Because customer-managed keys are stored in a separate key vault external to the database host, any configuration change or interruption that makes the key vault inaccessible to a database using its keys renders that database's data inaccessible.
Additionally, regardless of whether you use Oracle-managed or customer-managed keys, you can rotate the keys used in existing databases when needed in order to meet your company security policies. See Rotate the Encryption Keys for more details.
- Prepare to Use Customer-Managed Keys in the Vault Service
- Prepare to Use Customer-Managed Keys in Oracle Key Vault
- Use Customer-Managed Keys
Parent topic: Security
Prepare to Use Customer-Managed Keys in the Vault Service
Before you can use customer-managed keys stored in the Vault service, you must perform a number of preparatory configuration tasks to create a vault and master encryption keys and then make that vault and its keys available to Autonomous Database; specifically:
- Use the Vault service to create a vault containing at least one valid master encryption key.
- Use the Networking service to add a service gateway, a route rule and an egress security rule to the VCN (Virtual Cloud Network) and subnets where your Autonomous Database resources reside.
- Use the IAM service to create a dynamic group identifying your Autonomous Database resources and a policy statement granting that dynamic group access to the master encryption keys you created.
Tip:
For a "try it out" alternative that demonstrates these instructions, see Lab 17: Customer Controlled Database Encryption Keys in Oracle Autonomous Database Dedicated for Security Administrators.Before You Begin: Compartment Hierarchy Best Practice
Oracle recommends that you create a compartment hierarchy for your Oracle Autonomous Database on Dedicated Exadata Infrastructure deployment on dedicated infrastructure as follows:
- A "parent" compartment for the entire deployment
- "Child" compartments for each of the various kinds of resources:
- Autonomous Databases
- Autonomous Container Databases and infrastructure resources (Exadata Infrastructures and Autonomous Exadata VM Clusters)
- The VCN (Virtual Cloud Network) and its subnets
- Vaults that contain your customer-managed keys
Following this best practice is especially important when using customer-managed keys because the policy statement you create to grant Oracle Autonomous Database on Dedicated Exadata Infrastructure access to your keys must be added to a policy that is higher in your compartment hierarchy than the compartment containing your vaults and their keys.
Task 1. Create a Vault and a Master Encryption Key
Create a vault in the Vault service by following the instructions in To create a new vault in Oracle Cloud Infrastructure Documentation. When following these instructions, Oracle recommends that you create the vault in a compartment created specifically to contain the vaults containing customer-managed keys, as described in Before You Begin: Compartment Hierarchy Best Practice.
After creating the vault, create at least one master encryption key in the vault by following the instructions in To create a new master encryption key in Oracle Cloud Infrastructure Documentation. When following these instructions, make these choices:
- Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
- Protection Mode: Choose an appropriate value from the drop-down list:
- HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
- Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
- Key Shape Algorithm: AES
- Key Shape Length: 256 bits
Oracle strongly recommends that you create a separate master encryption key for each of your Autonomous Container Databases. Doing so makes management of key rotation over time much simpler.
Task 2. Create a Service Gateway, a Route Rule and an Egress Security Rule
Create a service gateway in the VCN (Virtual Cloud Network) where your Autonomous Database resources reside by following the instructions in Task 1: Create the service gateway in Oracle Cloud Infrastructure Documentation.
After creating the service gateway, add a route rule and an egress security rule to each subnet (in the VCN) where Autonomous Database resources reside so that these resources can use the gateway to access the Vault service:
-
Go to the Subnet Details page for the subnet.
-
In the Subnet Information tab, click the name of the subnet's Route Table to display its Route Table Details page.
-
In the table of existing Route Rules, check whether there is already a rule with the following characteristics:
- Destination: All IAD Services In Oracle Services Network
- Target Type: Service Gateway
- Target: The name of the service gateway you just created in the VCN
If such a rule does not exist, click Add Route Rules and add a route rule with these characteristics.
-
Return to the Subnet Details page for the subnet.
-
In the subnet's Security Lists table, click the name of the subnet's security list to display its Security List Details page.
-
In the side menu, under Resources, click Egress Rules.
-
In the table of existing Egress Rules, check whether there is already a rule with the following characteristics:
- Stateless: No
- Destination: All IAD Services In Oracle Services Network
- IP Protocol: TCP
- Source Port Range: All
- Destination Port Range: 443
If such a rule does not exist, click Add Egress Rules and add an egress rule with these characteristics.
Task 3. Create a Dynamic Group and a Policy Statement
To grant your Autonomous Database resources permission to access customer-managed keys, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the master encryption keys you created in the Vault service.
When defining the dynamic group, you identify your Autonomous Database resources by specifying the OCID of the compartment containing your Exadata Infrastructure resource.
-
Copy the OCID of the compartment containing your Exadata Infrastructure resource. You can find this OCID on the Compartment Details page of the compartment.
-
Create a dynamic group by following the instructions in To create a dynamic group in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:
ALL {resource.compartment.id ='<compartment-ocid>'}
where
<compartment-ocid>
is the OCID of the compartment containing your Autonomous Exadata VM Cluster resource.
allow dynamic-group <dynamic-group-name>
to manage keys
in compartment <vaults-and-keys-compartment>
where all {
target.key.id='<key_ocid>',
request.permission!='KEY_MOVE',
request.permission!='KEY_IMPORT'
}
allow dynamic-group <dynamic-group>
to read vaults
in tenancy | compartment <vaults-and-keys-compartment>
where <dynamic-group>
is the name of the dynamic group you created and <vaults-and-keys-compartment>
is the name of the compartment in which you created your vaults and master encryption keys.
Prepare to Use Customer-Managed Keys in Oracle Key Vault
Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within your enterprise. You integrate your on-premises Oracle Key Vault deployment with Oracle Autonomous Database on Dedicated Exadata Infrastructure to create and manage your own the master keys.
Before you can use customer-managed keys stored in Oracle Key Vault, you must perform a number of preparatory configuration tasks as described in Prepare to Use Oracle Key Vault.
Use Customer-Managed Keys
After performing the necessary configuration steps to enable using customer-managed keys in Oracle Autonomous Database on Dedicated Exadata Infrastructure instead of Oracle-managed keys, the technique to actually use them is quite simple:
- Create an Autonomous Container Database that specifies the use of customer-managed keys instead of Oracle-managed keys.
- Create Autonomous Databases in the Autonomous Container Database.
The Autonomous Databases you create automatically use customer-managed keys because the Autonomous Container Database in which they are created is configured to use customer-managed keys. Thus, those users who create and manage Autonomous Databases do not have to worry about configuring their databases to use customer-managed keys.
See Create an Autonomous Container Database to create an Autonomous Container Database that uses customer-managed keys.