Rotate Customer-Managed Encryption Keys on Autonomous Database in OCI Vault

Describes how to rotate customer-managed encryption keys on Autonomous Database in OCI Vault.

When you rotate the customer-managed master encryption key, Autonomous Database generates a new TDE master key and uses the new TDE master key to re-encrypt the tablespace encryption keys that encrypt and decrypt your data. This operation is fast and does not require database downtime. It does not change the tablespace keys and does not re-encrypt customer data.

Note

Using the Oracle Cloud Infrastructure Console you can rotate an Oracle Cloud Infrastructure Vault master encryption key with the Rotate Key command. This is a separate action and does not result in a new master encryption key for your Autonomous Database. To rotate the master encryption key of your Autonomous Database, create a new master encryption key in Oracle Cloud Infrastructure Vault and follow the steps described below.

To rotate customer-managed encryption keys:

  1. Create a new master encryption key in your Oracle Cloud Infrastructure Vault. If you already have multiple master encryption keys, then select a master encryption key that is different than the key you are using as your master encryption key for your Autonomous Database instance.

    See Prerequisites to Use Customer-Managed Encryption Keys on Autonomous Database in OCI Vault for more information.

  2. Rotate the master encryption key from the Oracle Cloud Infrastructure Console:

    See Use Customer-Managed Encryption Keys with Vault Located in Local Tenancy for more information.