Announcing Customer-Managed Encryption Keys for Oracle Exadata Cloud Service

Oracle Exadata Cloud Service (ExaCS) uses Oracle Transparent Data Encryption (TDE) to protect data at rest for its databases. TDE is a two-tier key architecture comprising of data encryption and master encryption keys. The data encryption keys protect table and tablespaces but are wrapped by a single database master encryption key. The master key is separated from encrypted data and are stored outside of the database. Currently, the TDE master key is Oracle-Managed and stored in an Oracle Wallet, a PKCS#12 standard-based key storage file.

We are excited to announce the general availability of ExaCS integration with Oracle Cloud Infrastructure (OCI) Vault service. You now have the control to create and manage TDE master keys that protect your Exadata database, where all network connections between your databases and OCI Vault are encrypted and mutually authenticated using SSL/TLS.

What are the benefits of Vault?

- You centrally control and manage your TDE master keys.

- Your keys are stored in a highly available, durable and managed service.  

- Your keys can be protected by hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.

- You can rotate your keys and audit their cryptographic operations to meet compliance and regulatory needs.

In order to use customer managed keys with Exadata database, you should first access the Vault service and create encryption keys. The encryption key algorithm you use must be AES-256. Next, you should ensure the required IAM policy is set for you to manage keys in Vault. Once these prerequisite steps are complete, you can create Exadata database protected by customer managed keys. Only databases after Oracle Database 11g release 2 (11.2.0.4) are supported.

How to use customer-managed keys for ExaCS in OCI console?

Creation of Database:

Creation of Exadata database has a new encryption field under Show Advanced options called customer-managed keys. Once selected, you can then choose the Vault and encryption keys you control as your TDE master key. It’s that simple. The default encryption option is Oracle-Managed. Once the database is created, you can check whether it was protected with Oracle or Customer-managed in the Database details page.

The below image shows an example of selecting customer-managed keys and the database details page.

Migration from Oracle-Managed to Customer-Managed:

If your Exadata database is already using Oracle-Managed encryption, then no worries. You can easily migrate it to Customer-Managed and vice versa.  Use the Change Key Management Type operation to choose the Vault and encryption keys you desire to migrate the database to customer-managed encryption. Migration of keys will require a short period of unavailability to your databases, so please exercise caution before you execute this operation.

The below image shows an example of Administrator Encryption Key page to perform the migration of encryption keys

Address Compliance:

You can rotate customer-managed keys on-demand to address your compliance goals, like managing Payment Card Industry (PCI) DSS. Security is further enabled by limiting the amount of information protected by a specific key. In order to ensure that your Exadata database uses the most current versions of the Vault’s encryption key, key rotation is supported only on the Exadata database console or APIs. Do not use the Vault service.

The below image shows an example of Administrator Encryption Key page to perform the rotation of encryption keys.

Source: oracle.com