This page describes Google Cloud customer-managed encryption keys (CMEK) for Oracle Database@Google Cloud.
Oracle Database@Google Cloud provides the following encryption options to encrypt your data:
- Google Cloud CMEK: this encryption option lets you manage your keys using Cloud Key Management Service. You can use this option when you need to control the lifecycle of your encryption keys to meet specific organizational standards. You can grant, revoke, and rotate keys on your own schedule. This page provides an overview of Google Cloud CMEK. To learn how to use it, see Use CMEK.
- Oracle-managed encryption: this encryption option lets you use Oracle-managed encryption options, such as Oracle Vault or Oracle Wallet. To learn about Oracle-managed encryption options, refer to Oracle documentation.
Google Cloud CMEK
Google Cloud CMEK uses Cloud KMS. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. You own, control, and manage the symmetric key encryption keys (KEKs) that protect your data in Cloud KMS.
You can use Google Cloud CMEK with the following Oracle Database@Google Cloud resources:
- Exadata VM Clusters
- Autonomous Databases
About service accounts
To enable Google Cloud CMEK on your Oracle Database@Google Cloud resources, you need to use a service account to request key access from Cloud KMS. This lets you grant precise IAM permissions to Oracle databases to access Google Cloud services.
When you provision an Oracle Database@Google Cloud resource, a service account is automatically created which you can use to enable CMEK on that resource only.
For a Exadata VM Cluster, the service account is managed by Google Cloud, and for an Autonomous Database, the service account is managed by Oracle.
Pricing
Using CMEK with Cloud KMS may incur additional costs, depending on your usage patterns. Learn more about Cloud KMS pricing.
Key unavailability
If you disable the Cloud KMS key that is used to encrypt an Oracle Database@Google Cloud resource, it will experience downtime within 30 minutes. Re-enabling the key brings the resource back up.
In rare scenarios, such as during periods when Cloud KMS is unavailable, Oracle Database@Google Cloud might be unable to retrieve the status of your key from Cloud KMS.
After 30 minutes, if Oracle Database@Google Cloud is still unable to connect with Cloud KMS, Oracle Database@Google Cloud begins taking the resources offline as a protective measure. The data in your resource remains inaccessible until your resource can reconnect with Cloud KMS and Cloud KMS responds that the key is active.
If you have insufficient permissions, then also the resources might be inaccessible.