Introduction
Oracle Databases in Oracle Cloud use Transparent Data Encryption (TDE) by default to protect data at rest. The default configuration “Oracle-Managed Keys” stores the master encryption keys in a wallet file locally on the database servers. Now, Oracle also supports the integration with the OCI Vault Service for VM DB Systems, where you are able to create and control your TDE master encryption keys or import your existing ones.
OCI Vault provides a highly available, durable, and managed service to create and control all your keys from a central location.
Do not confuse OCI Vault with Oracle Key Vault (OKV):
- OCI Vault: a cloud service to manage encryption keys.
- Oracle Key Vault (OKV): a full-stack software appliance to manage encryption keys (and much more).
This blog post shows how to change the key management for an existing database from oracle-managed keys (using local wallet) to customer-managed keys (using OCI Vault).
The Environment
- VM DB System on Oracle Cloud running Oracle Database version 19.15 using the multitenant architecture.
Preparation
Step 1: Create a Vault and an Encryption Key
From the Cloud Console, search for “Vault” and click on the “Vault” service in “Identity & Security”. Click on “Create Vault”, provide a name for your Vault, and create the Vault. When the Vault becomes active, click on “Create Key”, provide a name for your key, and choose AES 256 bits:
Create the key. The key will be available within a few seconds.
Step 2: Allow your VM DB System resource to access the keys in the OCI Vault
Get the VM DB System OCID from the details page:
Create a Dynamic Group providing the VM DB System OCID as a resource:
Any { resource.id = 'ocid1.dbsystem.oc1.eu-frankfurt-1.antheljrvh2pp2iae7cy6jdr6ag4kqhzj4uxsx5afjliolgkrpnwpv5jonbq' }
VERY IMPORTANT!!! use “resource.id” and not “instance.id”, as “instance.id” refers to IaaS VMs and not to VM DB Systems!!!
Unfortunately, the Rule Builder does not provide this option:
So you need to type “resource.id” manually.
Alternatively, use “resource.compartment.id” (NOT “instance.compartment.id”) to include all resources (e.g. VM DB Systems and ExaCS VM Clusters) in a specific compartment.
Create a Policy to allow the members of the Dynamic Group to access the keys in OCI Vault.
Allow dynamic-group SecurityAdmins to read vaults in tenancy
Allow dynamic-group SecurityAdmins to manage keys in tenancy
Step 3: Allow Access to Oracle Services Network
Configure your VM DB System subnet security list to allow egress traffic to Oracle Services Network. The route table must have the rule to forward the traffic to Oracle Services Network via a Service Gateway.
Change the Key Management Type for an existing Database
Before the Change
Before we change the key management type, let’s have a look at the current configuration when the database uses oracle-managed keys (local wallet file):
-- formatting
set lines 300
set pages 100
col name for a20
col wrl_type for a10
col status for a20
col wallet_order for a15
col key_id for a60
col keystore_type for a20
col origin for a20
col encryptionalg for a15
col encryptedts for a15
col inst_id for 999
col value for a60
-- status of the wallet and the wallet location
SQL> select p.con_id, p.name, p.open_mode, ew.wrl_type, ew.wallet_type, ew.status, ew.wallet_order
from v$pdbs p join v$encryption_wallet ew on (ew.con_id = p.con_id)
order by p.con_id;
CON_ID NAME OPEN_MODE WRL_TYPE WALLET_TYPE STATUS WALLET_ORDER
---------- -------------------- ---------- ---------- -------------------- --------------- ---------------
2 PDB$SEED READ ONLY FILE AUTOLOGIN OPEN SINGLE
3 PDB001 READ WRITE FILE AUTOLOGIN OPEN SINGLE
Changing the Key Management Type to use Customer-Managed Keys
From the database details page, click on “More Actions”, then “Manage Encryption Key”:
Select “Use customer-manged keys”, and select the Vault and the Key you created previously. Provide the TDE wallet password, and click Save changes:
The database goes into the “Updating” status in the UI until the operation completes.
Meanwhile, if you are curious, you can monitor the database alert log in the background:
tail -f /u01/app/oracle/diag/rdbms/cdb01_fra1pg/CDB01/trace/alert_CDB01.log
The conversion to customer-managed keys takes about 15 minutes in total. Changing key management causes the database to become unavailable, as all database instances will be restarted. After the operation completes successfully, the UI will reflect the change. The UI takes further few seconds to show the change:
After the Change
Now, let’s have a look at the new TDE configuration and see what has been changed:
-- status of the wallet and the wallet location
SQL> select p.con_id, p.name, p.open_mode, ew.wrl_type, ew.wallet_type, ew.status, ew.wallet_order
from v$pdbs p join v$encryption_wallet ew on (ew.con_id = p.con_id)
order by p.con_id;
CON_ID NAME OPEN_MODE WRL_TYPE WALLET_TYPE STATUS WALLET_ORDER
---------- -------------------- ---------- ---------- -------------------- ------------------------------ ---------------
2 PDB$SEED READ ONLY FILE AUTOLOGIN OPEN_NO_MASTER_KEY SINGLE
2 PDB$SEED READ ONLY OKV OKV OPEN SINGLE
3 PDB001 READ WRITE FILE AUTOLOGIN OPEN_NO_MASTER_KEY SECONDARY
3 PDB001 READ WRITE OKV OKV OPEN PRIMARY
Now we have an additional record showing “OKV” as the primary wallet.
Note: even though the v$ view shows “OKV”, OCI Vault is being used to manage the TDE master encryption keys, not Oracle Key Vault.
Creating further Pluggable Databases
Create a new PDB using the Cloud Console:
The new PDB will have a TDE Master Encryption Key already created:
SQL> select key_id, keystore_type, origin from v$encryption_keys;
KEY_ID KEYSTORE_TYPE ORIGIN
------------------------------------------------------------ -------------------- --------------------
069702169108644F2EBF4C39F1650A3FD9 OKV LOCAL
Having a look at your key in OCI Vault, you will recognize that a new key version has been created, which is the key used for the new PDB:
To check the mapping between the key_id in the database and the OCID of the Key Version in OCI Vault, execute the following command on the VM DB System as user oracle:
[oracle@dbcshost ~]$ kms-tde-cli find-ocid-for-mkid 069702169108644F2EBF4C39F1650A3FD9
ocid1.keyversion.oc1.eu-frankfurt-1.cbrcwrdiaafxy.bc4dmkcuisiaa.abtheljsq7lpm6c2zb42fovsm2mjgsz4fxo35itx3el7prkf4s644gtjbzfq
Considerations
- The encryption key you use must be AES-256.
- Customer-managed Keys (CMK) is available for VM DB System databases that use version 19.13 or higher.
- When enabling CMK, the CDB and all PDBs must be in OPEN, and all tablespaces must be in READ/WRITE mode.
- TDE isolated mode is not supported. Only TDE unified mode is supported, i.e., all key versions will be from the same key in OCI Vault.
- Switching back to Oracle-managed keys is not supported.
- Databases using CMK cannot be restored on an on-premises system.
- Data Guard can only be enabled in the same OCI region, as both primary and standby use the same OCI Vault, which is a regional service.
Conclusion
Using OCI Vault for managing your TDE encryption keys is quite simple, whether immediately at database creation time or changing the key management afterward. When changing the key management, create or import your own key in the Vault service and select it at database creation time or after that.
Remember to use “resource.id” (instead of”instance.id”) in the IAM dynamic group when dealing with VM DB Systems and ExaCS VM Clusters.
Last but not least, do NOT confuse OCI Vault with Oracle Key Vault (OKV).
Database Heartbeat 