Oracle Cloud Infrastructure Documentation

Prerequisites

Before configuring your Oracle AI Database@AWS environment, you need to understand the prerequisites for your chosen encryption method.

Oracle AI Database@AWS provides two main approaches for Transparent Data Encryption (TDE):
  1. Oracle-managed Key (OMK)
    • Oracle Wallet
  2. Customer-managed Key (CMK)
    • OCI Vault
    • Oracle Key Vault (OKV)
    • AWS Key Management Service (KMS)

This section explains the required prerequisites to configure your Oracle AI Database@AWS.

  • Oracle-managed keys are the default method for securing data encryption in Oracle AI Database@AWS. In Oracle AI Database, data encryption at rest is managed by Transparent Data Encryption. When you use Oracle-managed keys, the database system automatically handles all key management tasks, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed keys with Oracle AI Database@AWS.

  • Prerequisites to Use Customer-Managed Keys on Oracle AI Database@AWS with OCI Vault

    Using customer-managed encryption keys on Oracle AI Database@AWS with Oracle Cloud Infrastructure Vault (OCI Vault) involves creating a master key in OCI Vault and configuring your Oracle Cloud Infrastructure Vault database to use encryption keys in OCI Vault.

    Complete the following prerequisites:

    1. Create an OCI Vault
      1. From the OCI Console, select Identity and Security. Under Key Management, select Vault.
      2. Select the Create Vault button.
        1. Select a compartment.
        2. Enter a name for the vault.
        3. Enable the Make it a virtual private vault toggle to create a dedicated partition in a hardware security module (HSM), if required.
          Note

          You cannot change the vault type after you create the vault.
        4. The Tags section is optional.
        5. Select the Create Vault button.
        Note

        We recommend creating the vault in a compartment dedicated to customer-managed keys, as described in Before You Begin: Compartment Hierarchy Best Practice. For more information, see Creating a Vault.
      This screenshot shows how to create a vault.
    2. Create a Master Encryption Key in the Vault
      1. From the Vault menu, select the vault that you created previously.
      2. Select the Master Encryption Keys tab, then select the Create Key button.
        1. Choose a compartment.
        2. Select the protection mode from the dropdown list:
          • HSM: Creates a master encryption key that is stored and processed on an HSM.
          • Software: Creates a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You can export software keys to other key management devices or to a different OCI region. Software-protected keys do not incur cost.
        3. Enter a key name.
        4. From the Key Shape: Algorithm dropdown list, select AES (Symmetric key used for Encrypt and Decrypt).
        5. From the Key Shape: Length dropdown list, select 256 bits.
        Note

        We recommend creating a separate master encryption key for each container database (CDB). This approach simplifies key rotation management.

        For more information, see Creating a Master Encryption Key and Overview of Key Management..

      This screenshot shows how to create a key.
    3. Configure a Service Gateway, Route Rule, and Egress Security Rule

      To enable communication between OCI Vault and Oracle AI Database@AWS, configure a Service Gateway, update the Route table(s), and configure the required security list permissions.

      1. From the OCI Console, navigate to the Virtual Cloud Network (VCN) associated with your Oracle AI Database@AWS database.
      2. Select the Gateways tab. In the Service Gateways section, select the Create Service Gateway button.
        1. Enter a descriptive name for the service gateway.
        2. For Services, select the All IAD Services in Oracle Services Network option.
        3. Review your information, and then select the Create Service Gateway to create your service gateway.
        This screenshot shows how to create a Service Gateway.
      3. Select the Routing tab, then select your default route table.
      4. Select the Route Rules tab, then select the Add Route Rules button.
        1. Set Target Type to Service Gateway.
        2. Set Destination Service to All IAD Services in Oracle Services Network.
        3. In the Target Service Gateway compartment field, select the compartment that contains the service gateway.
        4. In the Target Service Gateway field, select the service gateway that you created previously.
        5. Review your information, and then select the Add Route Rules button.
        This screenshot shows how to create route rules.
      5. From the Virtual Cloud Network (VCN) that is associated with your Oracle AI Database@AWS database, select the Security tab.
      6. In the Security List section, select the default security list.
      7. Select the Security Rules tab, then select the Add Egress Rules button.
        1. Set Stateless to No.
        2. Set Destination Type to Service.
        3. Set Destination Service to All IAD Services in Oracle Services Network.
        4. Set IP Protocol to TCP.
        5. Set Source Port Range to All.
        6. Set Destination Port Range to 443.
        7. Select the Add Egress Rules button.
        This screenshot shows how to add Egress Rules.

  • There is currently no content for this page. The Oracle AI Database@AWS team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle AI Database@AWS team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • There are no prerequisites or additional configuration steps required to use AWS Key Management Service (KMS) with Oracle AI Database@AWS.