Rotate Encryption Keys
You can rotate the master encryption keys associated with an Autonomous Database on Dedicated Exadata Infrastructure using the Oracle Cloud Infrastructure Console.
- Rotate the Encryption Key of an Autonomous Container Database
- Rotate the Encryption Key of an Autonomous Database
Parent topic: Secure Autonomous Database
Rotate the Encryption Key of an Autonomous Container Database
Required IAM Policies
manage autonomous-container-databases
Procedure
- Go to the Details page of the Autonomous Container Database whose encryption
key you want to rotate.
For instructions, see View Details of an Autonomous Container Database.
- Click Rotate Encryption Key.
- (Optional) To use a customer encryption key (BYOK), select Rotate using the customer-provided key (BYOK). BYOK is supported in Oracle Public Cloud only. Enter the OCID of the imported customer encryption key in Key Version OCID. The Key Version OCID that you enter should be associated with the current encryption key of the Autonomous Container Database.
- Click Rotate encryption Key.
- Oracle-managed key: Autonomous Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous Container Database resides.
- Customer-managed key: Autonomous Database uses the underlying technology (Oracle Cloud Infrastructure Vault for Autonomous
Container Databases on Oracle Public Cloud or Oracle Key Vault (OKV) for
Autonomous Container Databases on either Oracle Public Cloud or Exadata Cloud@Customer) to rotate the key
and store the new value as a new version of the key in underlying
technology, and then associates this new version with the Autonomous
Container Database.
You can view the latest Key Version OCID and the entire Key History from your Autonomous Container Database details page.
Note
In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.
Parent topic: Rotate Encryption Keys
Rotate the Encryption Key of an Autonomous Database
You rotate the encryption key of an Autonomous Database from its Details page.
- Go to the Details page of the Autonomous Database whose encryption key you want to rotate.
For instructions, see View Details of a Dedicated Autonomous Database.
-
Click More Actions and then click Rotate Encryption Key.
- (Optional) To use a customer encryption key (BYOK), select Rotate using the customer-provided key (BYOK). BYOK is supported in Oracle Public Cloud only. Enter the OCID of the imported customer encryption key in Key Version OCID. The Key Version OCID that you enter should be associated with the current encryption key of the Autonomous Database.
- Click Rotate encryption Key.
- Oracle-managed key: Autonomous Database rotates the encryption key, storing the new value in the secure key store on the Exadata system where the Autonomous Database resides.
- Customer-managed key: Autonomous Database uses the underlying technology (Oracle Cloud Infrastructure Vault for Autonomous
Container Databases on Oracle Public Cloud or Oracle Key Vault (OKV) for
Autonomous Container Databases on either Oracle Public Cloud or Exadata Cloud@Customer) to rotate the key
and store the new value as a new version of the key in underlying
technology, and then associates this new version with the Autonomous
Database.
You can view the latest Key Version OCID and the entire Key History from your Autonomous Database details page.
Note
In case of cross region Data Guard with Customer Managed Keys, the replicated vault used by the standby is read-only. So, when the standby assumes the primary role from a failover, you cannot rotate the key.
Parent topic: Rotate Encryption Keys