Switching from Oracle-Managed to Customer-Managed Keys in Autonomous Database Serverless
Oracle Autonomous Database Serverless offers the flexibility to utilize Oracle-managed encryption keys or Customer-managed encryption keys. This article guides you through the process of transitioning from Oracle-managed keys to customer-managed keys, empowering you to manage your own encryption keys within Oracle Cloud Infrastructure Vault.
Whether you’re seeking increased security measures or require stricter compliance adherence, this step-by-step approach will show how to switch key management strategies for Autonomous Database Serverless.
It is assumed that there is already an OCI Key Vault in you tenancy. If not, follow the steps Managing Vaults to create one.
In Steps 1 through 4, you will 1) create a Master Encryption Key in the Vault, than 2) create a dynamic group, 3) create and policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (Vaults and Keys), and 4) switch from Oracle-Managed to customer-Managed Keys in Autonomous Database.
My ATP instance is currently using an Oracle-Managed.
Step 1: Create new Master Encryption Key in the Vault
a. Open the Oracle Cloud Infrastructure Console by clicking the menu next to Oracle Cloud.
b. From the Oracle Cloud Infrastructure left navigation menu click Identity and Security.
c. Under Key Management & Secret Management click Vault.
d. Select a Vault.
e. Create a Master Encryption Key in the Vault.
Step 2: Create a dynamic group
a. In the Oracle Cloud Infrastructure console click Identity & Security.
b. Under Identity click Domains and select an identity domain.
c. Under Identity domain, click Dynamic groups.
d. Click Create dynamic group and enter a Name, a Description, and a Rule.
The dynamic group below includes only the Autonomous Database whose OCID is specified in the resource.id parameter:
resource.id = ‘<your_Autonomous_Database_instance_OCID>’
e. Click Create.
Step 3: Create a policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (Vaults and Keys)
a. In the Oracle Cloud Infrastructure console click Identity & Security and click Policies.
b. To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
c. Use the Policy Builder to create a policy for vault and keys in the local tenancy.
The following policy allows the members of dynamic group DGVault to access the vaults and keys in the compartment named Shared_S:
Allow dynamic-group <your_domain>/DGVault to use vaults in compartment Shared_S
Allow dynamic-group <your_domain>/DGVault to use keys in compartment Shared_S
Step 4: Switching from Oracle-Managed to Customer-Managed Keys in Autonomous Database
a. Go to More actions and select Manage encryption key.
b. Select Encrypt using a customer-managed key in this tenancy and provide the Vault and the Master encryption key to be used.
c. Click Save.
By following these steps, you’ve successfully transitioned your Autonomous Database from Oracle-managed encryption keys to Customer-managed keys. This approach grants you greater control over your encryption strategy and aligns with specific compliance requirements. Remember to adhere to best practices for key management, such as regular rotation and secure storage within Vault.
