Oracle Cloud Infrastructure Documentation

Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database in OCI Vault

Perform these prerequisite steps to use customer-managed keys on Autonomous Database in OCI Vault:

  1. Create an Oracle Cloud Infrastructure Vault.
    1. Open the Oracle Cloud Infrastructure Console by clicking the navigation iconnext to Oracle Cloud.
    2. From the Oracle Cloud Infrastructure left navigation menu click Identity and Security.
    3. Under Key Management & Secret Management click Vault.
    4. Select an existing Vault or create a new Vault.

      For more details, see Creating a Vault.

  2. Create a Master Encryption Key in the Vault.
    Note

    You must use these options when you create the key:

    • Key Shape: Algorithm: AES (Symmetric key used for Encrypt and Decrypt)

    • Key Shape: Length: 256 bits

    For more information, see Creating a Master Encryption Key and Overview of Key Management.

    Description of adb_security_vault_key.png follows
  3. Create dynamic group and policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (Vaults and Keys).
    This step depends on whether the vault is on the same tenancy as the Autonomous Database instance or on a different tenancy:

You must replicate the vault and keys to use customer-managed encryption keys with Autonomous Data Guard with a remote Standby database. Customer-Managed Encryption Keys are only supported with a single cross-region Autonomous Data Guard standby. Multiple cross-region standbys are not supported because Oracle Cloud Infrastructure Vault only supports replication to one remote region.

See the following for more information:

Parent topic: Manage Master Encryption Keys in OCI Vault

Create Dynamic Group and Policies for Customer Managed Keys with Vault in Same Tenancy as Database

Create dynamic group and policies to provide access to the vault and keys for customer-managed keys when the vault and keys are in the same tenancy as the Autonomous Database instance.

  1. Create a dynamic group to make the master encryption key accessible to the Autonomous Database instance.
    1. In the Oracle Cloud Infrastructure console click Identity & Security.
    2. Under Identity click Domains and select an identity domain (or create a new identity domain).
    3. Under Identity domain, click Dynamic groups.
    4. Click Create dynamic group and enter a Name, a Description, and a rule.

      • Create Dynamic Group for an existing database:

        You can specify that an Autonomous Database instance is part of the dynamic group. The dynamic group in the following example includes only the Autonomous Database whose OCID is specified in the resource.id parameter: 

        resource.id = '<your_Autonomous_Database_instance_OCID>'

      • Create a Dynamic Group for a database that has not been provisioned yet:

        When you are creating the dynamic group before you provision or clone an Autonomous Database instance, the OCID for the new database is not yet available. For this case, create a dynamic group that specifies the resources in a given compartment: 

        resource.compartment.id = '<your_Compartment_OCID>'
    5. Click Create.
  2. Write policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (vaults and keys).
    1. In the Oracle Cloud Infrastructure console click Identity & Security and click Policies.
    2. To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
    3. Use the Policy Builder to create a policy for vault and keys in the local tenancy.

      For example, the following allows the members of the dynamic group DGKeyCustomer1 to access the vaults and keys in the compartment named training: 

      Allow dynamic-group DGKeyCustomer1 to use vaults in compartment training
Allow dynamic-group DGKeyCustomer1 to use keys in compartment training

      This sample policy applies for a single compartment. You can specify that a policy applies for your tenancy, a compartment, a resource, or a group of resources.

      To use customer-managed keys with Autonomous Data Guard with a remote standby, the following policy is also required: 

      Allow dynamic-group DGKeyCustomer1 to manage vaults in compartment training
Allow dynamic-group DGKeyCustomer1 to manage keys in compartment training
    4. Click Create to save the policy.

Create Dynamic Group and Policies for Customer Managed Keys with Vault in Different Tenancy than the Database

Perform these steps to use customer-managed keys when the Autonomous Database instance and vaults and keys are in different tenancies.

In this case, you need to supply OCID values when you change to customer-managed keys. In addition, you need to define dynamic groups and policies that allow the Autonomous Database instance to use vaults and keys in a different tenancy.

  1. Copy the master encryption key OCID.
  2. Copy the vault OCID.
  3. Copy the tenancy OCID (the remote tenancy that contains vaults and keys).
  4. On the tenancy with the Autonomous Database instance, create a dynamic group.
    1. In the Oracle Cloud Infrastructure console, on the tenancy with the Autonomous Database instance, click Identity & Security.
    2. Under Identity click Domains and select an identity domain (or create a new identity domain).
    3. Under Identity domain, click Dynamic groups.
    4. Click Create dynamic group and enter a Name, a Description, and a rule.

      • Create Dynamic Group for an existing database:

        You can specify that an Autonomous Database instance is part of the dynamic group. The dynamic group in the following example includes only the Autonomous Database whose OCID is specified in the resource.id parameter: 

        resource.id = '<your_Autonomous_Database_instance_OCID>'

      • Create a Dynamic Group for a database that has not been provisioned yet:

        When you are creating the dynamic group before you provision or clone an Autonomous Database instance, the OCID for the new database is not yet available. For this case, create a dynamic group that specifies the resources in a given compartment: 

        resource.compartment.id = '<your_Compartment_OCID>'
    5. Click Create.
  5. On the tenancy with the Autonomous Database instance, define the policies to allow access to vaults and keys (where the vaults and keys are on a different tenancy).
    1. In the Oracle Cloud Infrastructure console click Identity & Security.
    2. Under Identity click Policies.
    3. To write a policy, click Create Policy.
    4. On the Create Policy page, enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
      Description of adb_keys_create_policy_manual.png follows
    6. In the policy builder, add policies so that the Autonomous Database instance is able to access vaults and keys located in the different tenancy. Also add policies for the IAM group that the IAM user belongs to so that the Oracle Cloud Infrastructure Console for the Autonomous Database instance can show details about the key that resides in a different tenancy.

      For example, in the generic policy, call the tenancy with the Autonomous Database instance Tenancy-1 and the tenancy with vaults and keys, Tenancy-2:

      Copy the following policy and replace the variables and names with the values you define, where the dynamic group name ADB-DynamicGroup is the dynamic group you created in Step 4: 

      define tenancy REMTEN as <ocid of tenancy-2>
endorse dynamic-group ADB-DynamicGroup to use vaults in tenancy REMTEN
endorse dynamic-group ADB-DynamicGroup to use keys in tenancy REMTEN
endorse group MyUserGroup to use vaults in tenancy REMTEN
endorse group MyUserGroup to use keys in tenancy REMTEN

      For example, the following allows the members of the dynamic group DGKeyCustomer1 to access the remote vaults and keys in the tenancy named training2: 

      define tenancy training2 as ocid1.tenancy.oc1..aaa_example_rcyx2a
endorse dynamic-group DGKeyCustomer1 to use vaults in tenancy training2
endorse dynamic-group DGKeyCustomer1 to use keys in tenancy training2
endorse group MyUserGroup to use vaults in tenancy training2
endorse group MyUserGroup to use keys in tenancy training2
    7. Click Create to save the policy.
  6. Copy the tenancy OCID (the tenancy that contains the Autonomous Database instance).
  7. Copy the Dynamic Group OCID (for the Dynamic Group you created in Step 4).
  8. On the remote tenancy with vaults and keys, define a dynamic group and policies to allow the Autonomous Database instance to access vaults and keys.
    1. In the Oracle Cloud Infrastructure console, click Identity & Security.
    2. Under Identity click Policies.
    3. To create a policy, click Create Policy.
    4. On the Create Policy page, enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
    6. In the policy builder, add policies and a dynamic group to provide access to the dynamic group on the tenancy with the Autonomous Database instance ( Tenancy-1), such that the Autonomous Database instance can use the vaults and keys in Tenancy-2. Also need to add policies to allow the user group to access the vault and keys to display information on the Oracle Cloud Infrastructure Console for the Autonomous Database instance in a different tenancy.

      Use the Policy Builder to create a dynamic group and a policy for vaults and keys. 

      define tenancy ADBTEN as <ocid of tenancy-1>
define dynamic-group REM-ADB-DG as <ocid of the Dynamic Group in tenancy-1>
define group REMGROUP as <group-ocid> 
admit dynamic-group REM-ADB-DG of tenancy ADBTEN to use vaults in tenancy
admit dynamic-group REM-ADB-DG of tenancy ADBTEN to use keys in tenancy
admit group REMGROUP of tenancy ADBTEN to use vaults in tenancy
admit group REMGROUP of tenancy ADBTEN to use keys in tenancy

      For example define the following on the remote tenancy to allow the members of the dynamic group DGKeyCustomer1 and the group REMGROUP to access the remote vaults and keys in the tenancy named training2: 

      define tenancy adbdemo5 as ocid1.tenancy.oc1..aaa_example_4cnl5q
define dynamic-group REM-ADB-DG as ocid1.dynamicgroup.oc1..aaa_example_526bia
define group REMGROUP as ocid1.group.oc1..aaa_example_6vctn6xsaq
admit dynamic-group REM-ADB-DG of tenancy adbdemo5 to use vaults in tenancy
admit dynamic-group REM-ADB-DG of tenancy adbdemo5 to use keys in tenancy
admit group REMGROUP of tenancy ADBTEN to use vaults in tenancy
admit group REMGROUP of tenancy ADBTEN to use keys in tenancy
    7. Click Create to save the policy.