• Recent blogs

    How to use Customer-Managed TDE Encryption Keys in Exadata Oracle Cloud



    The default configuration “Oracle-Managed Keys” stores the master encryption keys in a wallet file locally on the database servers. Now, Oracle also supports the integration with the OCI Vault Service, where you are able to create and control your TDE master encryption keys or import your existing ones.

    You can use OCI Vault to centrally manage the Transparent Data Encryption (TDE) master key of your DB instance and be in full control of your key lifecycle operations such as key creation, rotation, deletion, and so on.

    Customer-managed keys also allow you to store your keys in a highly available, managed service where they can be protected by hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.

    Here are the steps we will follow:

    • Create a Vault and a Key in OCI Vault
    • Create a Dynamic Group and a Policy
    • Use Customer-Managed Keys During Provisioning

    Create a Vault and a Key in OCI Vault

    Before we start using customer-managed keys in Exadata, we first need to create a vault and a master encryption key in OCI Vault.

    • In the OCI console, go to 'Identity and Security' -> 'Vault'
    • Create a vault
    • Create a master encryption key with your choice of protection mode, key algorithm, and key length 

    Here’s how my vault looks after creating master encryption key:

    OCI Vault & Key

    Create a Dynamic Group and a Policy

    This step might sound familiar to you as we are going to create Instance principal authentication, which requires us to first create a dynamic group and a policy in OCI Identity and Access Management (IAM). The same requirement applies here as well since exadata DB relies on Instance principal authentication to access OCI Vault, where you store your master encryption keys. Therefore, we will create a dynamic group and a policy so that IAM knows our Exadata Instance has the necessary privilege to access the vault in our tenancy.

    In the OCI console, go to 'Identity and Security' -> 'Dynamic Groups' -> 'Create Dynamic Group'
    Get the Exadata VM Cluster OCID from the VM Cluster details page.

    • Exadata_VM_Cluster_OCID

    • Create a Dynamic Group providing the VM Cluster OCID as a resource.
    • Create_dynamic_group

      The next step is to create a policy for our dynamic group so that those resources can access the vault and keys in our tenancy. Similar to dynamic group rules, policy statements can also be written to allow access to certain services and resources under a given compartment.

      • In the OCI console, go to 'Identity and Security' -> 'Policies' -> 'Create Policy'
      • Add your policy statement in plain text or use the Policy Builder.

        Copied to Clipboard
        Error: Could not Copy
        Copied to Clipboard
        Error: Could not Copy
        Copied to Clipboard
        Error: Could not Copy
        Allow dynamic-group db-vault to manage keys in tenancy

    Allow Access to Oracle Services Network

    Configure your Exadata client subnet security list to allow egress traffic to Oracle Services Network. The route table must have the rule to forward the traffic to Oracle Services Network via a Service Gateway.

    Step 4: Update the dbaastools to the latest version

    Log in to your Exadata virtual machine as user root and execute the following commands to update the dbaastools to the latest version.

    sudo -s
    rpm -qa | grep dbaas

    dbaascli patch tools list

    dbaascli patch tools apply --patchid LATEST

    Creating a new Database

    To use customer-managed keys for a new database, just scroll down to the Advanced Options, click on the “Encryption” tab, choose “Use customer-managed keys” and select the Vault and the Key you created previously.


    No comments