Managing Encryption Keys on External Devices
Learn how to store and manage database encryption keys.
- In the Guest VM on the Exadata Infrastructure.
- On an external key management device. Oracle Key Vault is the currently supported device.
- About Oracle Key Vault
Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise. - Overview of Key Store
Integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises. - Required IAM Policy for Managing OKV on Oracle Exadata Database Service on Cloud@Customer
Review the identity access management (IAM) policy for managing OKV on Oracle Exadata Database Service on Cloud@Customer Systems. - Tagging Resources
You can apply tags to your resources to help you organize them according to your business needs. - Moving Resources to a Different Compartment
You can move OKV Vault, Secret, and Keystore resources from one compartment to another. - Setting Up Your Oracle Exadata Database Service on Cloud@Customer to Work With Oracle Key Vault
- Managing Your Key Store
Parent topic: Autonomous Database on Exadata Cloud@Customer
About Oracle Key Vault
Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise.
The Oracle Key Vault is a customer-provisioned and managed system and it is not part of Oracle Cloud Infrastructure managed services.
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Overview of Key Store
Integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises.
Oracle Key Vault integration enables you to take complete control of your encryption keys and store them securely on an external, centralized key management device.
OKV is optimized for Oracle wallets, Java keystores, and Oracle Advanced Security Transparent Data Encryption (TDE) master keys. Oracle Key Vault supports the OASIS KMIP standard. The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability, and scalability, and can be deployed on your choice of compatible hardware.
OKV also provides a REST interface for clients to auto-enroll endpoints and setup wallets and keys. For Autonomous Databases on Exadata Cloud@Customer to connect to OKV REST interface, create a key store in your tenancy to store the IP address and administrator credentials of your OKV. Exadata Cloud@Customer temporarily stores the OKV REST user administrator password required to connect to the OKV appliance in a password-protected wallet file so that the software running in the customer VM can connect to the OKV server. Following the migration of the TDE keys to OKV, the cloud automation software will remove the password from the wallet file. Ensure that you create a secret with Oracle's Vault Service, which will store the password required for autonomous databases to connect to OKV for key management.
For more information, see "Oracle Key Vault".
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Required IAM Policy for Managing OKV on Oracle Exadata Database Service on Cloud@Customer
Review the identity access management (IAM) policy for managing OKV on Oracle Exadata Database Service on Cloud@Customer Systems.
A policy is an IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it), and to mean the overall body of policies your organization uses to control access to resources.
A compartment is a collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization.
To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy written by an administrator, whether you're using the Console, or the REST API with a software development kit (SDK), a command-line interface (CLI), or some other tool. If you try to perform an action, and receive a message that you don’t have permission, or are unauthorized, then confirm with your administrator the type of access you've been granted, and which compartment you should work in.
For administrators: The policy in "Let database admins manage DB systems" lets the specified group do everything with databases and related database resources.
If you're new to policies, then see "Getting Started with Policies" and "Common Policies". If you want to dig deeper into writing policies for databases, then see "Details for the Database Service".
Tagging Resources
You can apply tags to your resources to help you organize them according to your business needs.
You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see "Resource Tags".
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Moving Resources to a Different Compartment
You can move OKV Vault, Secret, and Keystore resources from one compartment to another.
After you move an OCI resource to a new compartment, inherent policies apply immediately and affect access to the resource. Moving an OKV Vault resource doesn't affect access to any OKV Vault Keys or OKV Vault Secrets that the OKV Vault contains. You can move an OKV Vault Keys or OKV Vault Secrets from one compartment to another independently of moving the OKV Vault it's associated with. For more information, see Managing Compartments.
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Setting Up Your Oracle Exadata Database Service on Cloud@Customer to Work With Oracle Key Vault
- Ensure that OKV is set up and the network is accessible from the Exadata client network. Open ports 443, 5695, and 5696 for egress on the client network for the OKV client software and Oracle database instance to access the OKV server.
- Ensure that the REST interface is enabled from the OKV user interface.
- Create "OKV REST Administrator" user.
You can use any qualified username of your choice, for example, "okv_rest_user". For ADB-C@C and ExaDB-C@C, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. ExaDB-C@C needs REST user with
create endpoint
privilege. ADB-C@C needs REST user withcreate endpoint
andcreate endpoint group
privileges. - Gather OKV administrator credentials and IP address, which is required to connect to OKV.
For more information, see Network Port Requirements, Managing Oracle Key Vault Users, and Managing Administrative Roles and User Privileges
- Step 1: Create a Vault in OKV Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password
- Step 2: Create a Dynamic Group and a Policy Statement for Key Store to Access Secret in OKV Vault
- Step 3: Create a Dynamic Group and a Policy Statement for Exadata Infrastructure to Key Store
- Step 4: Create a Policy Statement for Database Service to Use Secret from OKV Vault Service
- Step 5: Create Key Store
Related Topics
Parent topic: Managing Encryption Keys on External Devices
Step 1: Create a Vault in OKV Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password
Your Exadata Cloud@Customer infrastructure communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server.
These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Exadata Cloud@Customer infrastructure only when needed. When needed, the credentials are stored in a password-protected wallet file.
To store the OKV administrator password in the OKV Vault service, create a vault by following the instructions outlined in Managing Vaults and create a Secret in that vault by following the instructions outlined in Managing Secrets.
Step 2: Create a Dynamic Group and a Policy Statement for Key Store to Access Secret in OKV Vault
To grant your Key Store resources permission to access Secret in OKV Vault, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Secret you created in the OKV Vaults and Secrets.
When defining the dynamic group, you identify your Key Store resources by specifying the OCID of the compartment containing your Key Store.
Related Topics
Step 3: Create a Dynamic Group and a Policy Statement for Exadata Infrastructure to Key Store
To grant your Exadata infrastructure resources permission to access Key Store, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Key Store you created.
When defining the dynamic group, you identify your Exadata infrastructure resources by specifying the OCID of the compartment containing your Exadata infrastructure.
Step 4: Create a Policy Statement for Database Service to Use Secret from OKV Vault Service
allow service database to read secret-family in compartment <vaults-and-secrets-compartment>
where <vaults-and-secrets-compartment> is the name of the compartment in which you created your OKV Vaults and Secrets.
Once the OKV Vault is set up and the IAM configuration is in place, you are now ready to deploy your Oracle Key Vault 'Key Store' in OCI and associate it with your Exadata Cloud@Customer VM Cluster.
Managing Your Key Store
- View Key Store Details
Follow these steps to view Key Store details that include Oracle Key Vault (OKV) connection details and the list of associated databases. - Edit Key Store Details
You can edit a Key Store only if it is not associated with any CDBs. - Move a Key Store to Another Compartment
Follow these steps to move a Key Store on an Oracle Exadata Database Service on Cloud@Customer system from one compartment to another compartment. - Delete a Key Store
You can delete a Key Store only if it is not associated with any CDBs. - View Key Store Associated Container Database Details
Follow these steps to view details of the container database associated with a Key Store. - Using the API to Manage Key Store
Learn how to use the API to manage key store.
Parent topic: Managing Encryption Keys on External Devices
View Key Store Details
Follow these steps to view Key Store details that include Oracle Key Vault (OKV) connection details and the list of associated databases.
Parent topic: Managing Your Key Store
Edit Key Store Details
You can edit a Key Store only if it is not associated with any CDBs.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Edit.
- On the Edit Key Store page, make changes as needed, and then click Save Changes.
Parent topic: Managing Your Key Store
Move a Key Store to Another Compartment
Follow these steps to move a Key Store on an Oracle Exadata Database Service on Cloud@Customer system from one compartment to another compartment.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Move Resource.
- On the Move Resource to a Different Compartment page, select the new compartment.
- Click Move Resource.
Parent topic: Managing Your Key Store
Delete a Key Store
You can delete a Key Store only if it is not associated with any CDBs.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- Click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- On the Key Store Details page, click Delete.
- On the Delete Key Store dialog, click Delete.
Parent topic: Managing Your Key Store
View Key Store Associated Container Database Details
Follow these steps to view details of the container database associated with a Key Store.
- Open the navigation menu. Under Oracle Database, click Exadata Database Service on Cloud@Customer.
- Choose your Compartment.
- Click Key Stores.
- In the resulting Key Stores page, click the name of the Key Store or click the Actions icon (three dots), and then click View Details.
- Click the name of the associated database or click the Actions icon (three dots), and then click View Details.
Parent topic: Managing Your Key Store
Using the API to Manage Key Store
Learn how to use the API to manage key store.
For information about using the API and signing requests, see "REST APIs" and "Security Credentials". For information about SDKs, see "Software Development Kits and Command Line Interface".
The following table lists the REST API endpoints to manage key store.
Operation | REST API Endpoint |
---|---|
Create OKV Key Store |
|
View OKV Key Store |
|
Update OKV Key Store |
|
Delete OKV Key Store |
|
Change Key store compartment |
|
Choose between customer-managed and Oracle-managed encryption |
|
Get the Key Store (OKV or Oracle-managed) and OKV wallet name |
|
Change Key store type |
|
Rotate OKV and Oracle-managed key |
|
Parent topic: Managing Your Key Store