Oracle Cloud Infrastructure Documentation

Master Encryption Keys in Autonomous Database on Dedicated Exadata Infrastructure

By default, Autonomous Database on Dedicated Exadata Infrastructure creates and manages all the master encryption keys used to protect your data, storing them in a secure PKCS 12 keystore on the same Exadata systems where the databases reside. These are referred to as Oracle-managed encryption keys.

If your company security policies require, Autonomous Database can instead use keys you create and manage using Oracle Key Store. For Oracle Public Cloud deployments, you can also use the Oracle Cloud Infrastructure Vault service to create and manage keys.

When you create a customer-managed key using the OCI Vault service, you can also import your own key material (Bring Your Own Key or BYOK) instead of letting the Vault service generate the key material internally.

Caution:

As customer-managed keys stored in Oracle Key Vault (OKV) are external to the database host, any configuration change or interruption that makes the OKV inaccessible to the database using its keys makes its data inaccessible.

Additionally, regardless of whether you use Oracle-managed or customer-managed keys, you can rotate the keys used in existing databases when needed in order to meet your company security policies. See Rotate the Encryption Keys for more details.

Before You Begin: Compartment Hierarchy Best Practice

Oracle recommends that you create a compartment hierarchy for your Autonomous Database deployment on dedicated infrastructure as follows:
  • A "parent" compartment for the entire deployment
  • "Child" compartments for each of the various kinds of resources:
    • Autonomous Databases
    • Autonomous Container Databases and infrastructure resources (Exadata Infrastructures and Autonomous Exadata VM Clusters)
    • The VCN (Virtual Cloud Network) and its subnets
    • Vaults that contain your customer-managed keys

Following this best practice is especially important when using customer-managed keys because the policy statement you create to grant Autonomous Database access to your keys must be added to a policy that is higher in your compartment hierarchy than the compartment containing your vaults and their keys.

Parent topic: Security

Use Customer-Managed Keys in the Vault Service

Before you can use customer-managed keys stored in the Vault service, you must perform a number of preparatory configuration tasks to create a vault and master encryption keys and then make that vault and its keys available to Autonomous Database; specifically:

  1. Create a vault in the Vault service by following the instructions in To create a new vault in Oracle Cloud Infrastructure Documentation. When following these instructions, Oracle recommends that you create the vault in a compartment created specifically to contain the vaults containing customer-managed keys, as described in Compartment Hierarchy Best Practice.
    After creating the vault, you can create at least one master encryption key in the vault by following the instructions in To create a new master encryption key in Oracle Cloud Infrastructure Documentation. When following these instructions, make these choices:
    • Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
    • Protection Mode: Choose an appropriate value from the drop-down list:
      • HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
      • Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
    • Key Shape Algorithm: AES
    • Key Shape Length: 256 bits
    Note

    You can also add an encryption key to an existing vault.
  2. Use the Networking service to Create a Service Gateway, a Route Rule and an Egress Security Rule to the VCN (Virtual Cloud Network) and subnets where your Autonomous Database resources reside.
  3. Use the IAM service to Create a Dynamic Group identifying your Autonomous Database resources and a policy statement granting that dynamic group access to the master encryption keys you created.

Tip:

For a "try it out" alternative that demonstrates these instructions, see Lab 17: Customer Controlled Database Encryption Keys in Oracle Autonomous Database Dedicated for Security Administrators.

After configuring the customer-managed key using the above steps, you can configure it while provisioning an Autonomous Container Database (ACD) or by rotating the existing encryption key from the Details page of ACD or Autonomous Database. Autonomous Databases provisioned in this ACD will automatically inherit these encryption keys. See Create an Autonomous Container Database or Rotate the Encryption Key of an Autonomous Container Database for more details.

Use Bring Your Own Keys (BYOK) in Vault Service

APPLIES TO: Applicable Oracle Public Cloud only

When you create a customer-managed key using the OCI Vault service, you can also import your own key material (Bring Your Own Key or BYOK) instead of letting the Vault service generate the key material internally.

Before you can bring your own keys into the Vault service, you must perform number of preparatory configuration tasks to create a vault and import the master encryption key and then make that vault and its keys available to Autonomous Database; specifically:
  1. Create a vault in the Vault service by following the instructions in To create a new vault in Oracle Cloud Infrastructure Documentation. When following these instructions, Oracle recommends that you create the vault in a compartment created specifically to contain the vaults containing customer-managed keys, as described in Compartment Hierarchy Best Practice.
    After creating the vault, you can create at least one master encryption key in the vault by following the instructions in To create a new master encryption key in Oracle Cloud Infrastructure Documentation. You can also import a customer encryption key into an existing vault. When following these instructions, make these choices:
    • Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
    • Protection Mode: Choose an appropriate value from the drop-down list:
      • HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
      • Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
    • Key Shape Algorithm: AES
    • Key Shape Length: 256 bits
    • Import External Key: To use a customer encryption key (BYOK), select Import External Key and provide the following details:
      • Wrapping Key Information. This section is read-only, but you can view the public wrapping key details.
      • Wrapping Algorithm. Select a wrapping algorithm from the drop-down list.
      • External Key Data Source. Upload the file that contains the wrapped RSA key material.
    Note

    You can either import the key material as a new external key version or click the name of an existing master encryption key and rotate it to a new key version.

    Refer to Importing Key Material as an External Key Version for more details.

  2. Use the Networking service to Create a Service Gateway, a Route Rule and an Egress Security Rule to the VCN (Virtual Cloud Network) and subnets where your Autonomous Database resources reside.
  3. Use the IAM service to Create a Dynamic Group identifying your Autonomous Database resources and a policy statement granting that dynamic group access to the master encryption keys you created.

After configuring the customer-managed BYOK using the above steps, you can use it by rotating the existing encryption key from the Details page of Autonomous Container Database or Autonomous Database. See Rotate the Encryption Key of an Autonomous Container Database for more details.

Create a Service Gateway, a Route Rule and an Egress Security Rule

Oracle Cloud Infrastructure (OCI) Service Gateway provides private, secure access to multiple Oracle Cloud services simultaneously from within a virtual cloud network (VCN) or on-premises network via a single gateway without traversing the internet.

Create a service gateway in the VCN (Virtual Cloud Network) where your Autonomous Database resources reside by following the instructions in Task 1: Create the service gateway in Oracle Cloud Infrastructure Documentation.

After creating the service gateway, add a route rule and an egress security rule to each subnet (in the VCN) where Autonomous Database resources reside so that these resources can use the gateway to access the Vault service:
  1. Go to the Subnet Details page for the subnet.
  2. In the Subnet Information tab, click the name of the subnet's Route Table to display its Route Table Details page.
  3. In the table of existing Route Rules, check whether there is already a rule with the following characteristics:
    • Destination: All IAD Services In Oracle Services Network
    • Target Type: Service Gateway
    • Target: The name of the service gateway you just created in the VCN

    If such a rule does not exist, click Add Route Rules and add a route rule with these characteristics.

  4. Return to the Subnet Details page for the subnet.
  5. In the subnet's Security Lists table, click the name of the subnet's security list to display its Security List Details page.
  6. In the side menu, under Resources, click Egress Rules.
  7. In the table of existing Egress Rules, check whether there is already a rule with the following characteristics:
    • Stateless: No
    • Destination: All IAD Services In Oracle Services Network
    • IP Protocol: TCP
    • Source Port Range: All
    • Destination Port Range: 443

    If such a rule does not exist, click Add Egress Rules and add an egress rule with these characteristics.

Create a Dynamic Group and a Policy Statement

To grant your Autonomous Database resources permission to access customer-managed keys, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the master encryption keys you created in the Vault service.

When defining the dynamic group, you identify your Autonomous Database resources by specifying the OCID of the compartment containing your Exadata Infrastructure resource.
  1. Copy the OCID of the compartment containing your Exadata Infrastructure resource. You can find this OCID on the Compartment Details page of the compartment.
  2. Create a dynamic group by following the instructions in To create a dynamic group in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:
    ALL {resource.compartment.id ='<compartment-ocid>'}

    where <compartment-ocid> is the OCID of the compartment containing your Autonomous Exadata VM Cluster resource.

After creating the dynamic group, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your vaults and keys. Then, add a policy statement of this format:
allow dynamic-group <dynamic-group-name>
to manage keys
in compartment <vaults-and-keys-compartment>
where all {
target.key.id='<key_ocid>',
request.permission!='KEY_MOVE',
request.permission!='KEY_IMPORT'
}
If you are using a replicated virtual vault or replicated virtual private vault for the Autonomous Data Guard deployment, add an additional policy statement of this format:
allow dynamic-group <dynamic-group>
to read vaults
in tenancy | compartment <vaults-and-keys-compartment>

where <dynamic-group> is the name of the dynamic group you created and <vaults-and-keys-compartment> is the name of the compartment in which you created your vaults and master encryption keys.

Use Customer-Managed Keys in Oracle Key Vault

Oracle Key Vault (OKV) is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within your enterprise. You integrate your on-premises OKV deployment with Oracle Autonomous Database on Dedicated Exadata Infrastructure to create and manage your own the master keys.

Before you can use customer-managed keys stored in OKV, you must perform a number of preparatory configuration tasks as described in Prepare to Use Oracle Key Vault.

After configuring the customer-managed keys in OKV, you can configure it while provisioning an Autonomous Container Database (ACD) or by rotating the existing encryption key from the Details page of ACD or Autonomous Database. Autonomous Databases provisioned in this ACD will automatically inherit these encryption keys. See Create an Autonomous Container Database or Rotate the Encryption Key of an Autonomous Container Database for more details.