Updating the Master Encryption Key Assigned to a Queue
Update a queue to use your own encryption key. You can use a different encryption key for each queue.
By default, all encryption-related matters are handled by Oracle, but you can manage your own encryption keys using OCI Vault. Vault allows you to bring your own Advanced Encryption Standard (AES) symmetric keys and manage, rotate, disable, and delete them as needed. For more information, see Overview of Vault and Managing Keys.
To use your own encryption key, first ensure that you have the required IAM policies and import your key.
Policy for Encryption Keys
To use your own encryption key, you must let the Queue service use a Vault key to encrypt data in queues. For example:
allow service queue to use keys in compartment ABC where target.key.id = '<key_OCID>'If you're new to policies, see Managing Identity Domains and Common Policies. If you want to dig deeper into writing policies for the Queue service, see Queue Policies.
- On the Queues list page, find the queue that you want to work with. If you need help finding the list page or the queue, see Listing Queues.
- From the Actions menu for the queue, select Configure queue.
- In the Configure queue panel, verify or change the encryption settings:
- Oracle-managed key: Select this option to leave all encryption-related matters to Oracle.
- Customer-managed key: Select this option to encrypt the queue using a key of your own that's stored in OCI Vault. This lets you rotate, disable, and delete it as needed. After selecting this option, choose the vault that contains the key, and the key itself.
- Click Save changes.
Use the
oci queue queue-admin queue updatecommand and required parameters to edit a queue's encryption settings:oci queue queue-admin queue update --queue-id <queue_OCID>For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Use the UpdateQueue operation to update a queue's encryption settings.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.