Use CMEK

This page describes how to enable Google Cloud CMEK with Oracle Database@Google Cloud. Google Cloud CMEK uses Cloud Key Management Service encryption keys.

Before you begin

Ensure that the following requirements are met before enabling Google Cloud CMEK on an Oracle Database@Google Cloud resource:

• Enable the Cloud Key Management Service API for the project that will store your encryption keys. Enable the API

• Have the following Identity and Access Management (IAM) permissions to work with Cloud KMS keys:

  • To create new encryption key rings and keys:

    • cloudkms.keyRings.create
    • cloudkms.cryptoKeys.create
    • cloudkms.cryptoKeys.get
    • cloudkms.cryptoKeys.list
    • cloudkms.locations.get

  • To give Oracle Database@Google Cloud service accounts access to Cloud KMS keys:

    • cloudkms.cryptoKeys.setIamPolicy

  • To work with key versions:

    • cloudkms.cryptoKeyVersions.get
    • cloudkms.cryptoKeyVersions.create
    • cloudkms.cryptoKeyVersions.list
    • cloudkms.cryptoKeyVersions.useToDecrypt
    • cloudkms.cryptoKeyVersions.useToEncrypt
    • cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

  The Cloud KMS Admin role contains the required permissions. For more information, see Cloud KMS permissions and roles.

  For information about how to grant roles and permissions, see Access control with IAM.

• Create a Cloud KMS key ring and a key. Oracle Database@Google Cloud supports only multi-region symmetric keys.

• Have sufficient permissions to work with Oracle Database@Google Cloud resources. For more information, see Oracle Database@Google Cloud predefined roles.

Workflow to enable Google Cloud CMEK

The workflow to enable Google Cloud CMEK for an Oracle Database@Google Cloud resource involves the following steps:

1. Complete the prerequisites.

2. Create the resource for which you want to enable the CMEK:

   • Create an Exadata VM Cluster
   • Create an Autonomous Database

   Oracle Database@Google Cloud automatically creates a service account for your resource as a part of the provisioning process. For more information, see About Service accounts.

3. Grant the service account access to the key:

   • Enable CMEK on an Exadata VM Cluster
   • Enable CMEK on an Autonomous Database

CMEK for Exadata VM Cluster

Enable CMEK on an Exadata VM Cluster

To enable CMEK on an Exadata VM Cluster, do the following:

1. Go to the Dedicated infrastructure page.

   Go to Dedicated infrastructure

2. Select the Exadata VM Clusters tab.

3. Click the name of the cluster for which you want to enable CMEK.

4. Go to the Google-managed service account section and check the Status.

   If the Status shows Disconnected, contact Customer care. If it shows Connected and a Principal ID, proceed with the next steps.

5. Copy the Principal ID to be used in the subsequent steps.

   The Principal ID generated during provisioning is unique to the Exadata VM Cluster and has no permissions set by default. To enable Oracle databases access to Google Cloud services, grant permissions to the principal ID by following the next steps.

6. Go to the Cloud KMS key management page.

   Go to Cloud KMS key management

7. Select the key ring to which your key belongs.

8. Select the key to grant permissions.

9. Click Add principal.

10. In the New principals field, paste the Principal ID you had copied.

11. Assign the following roles to the principal:

    • Cloud KMS CryptoKey Encrypter/Decrypter
    • Cloud KMS Viewer

12. Click Save.

After completing these steps, go to your OCI console, and discover and register your keys for your database. For instructions, refer to the Oracle documentation.

View Exadata VM Cluster encryption details

To view encryption details of a Exadata VM Cluster, do the following:

1. Go to the Dedicated infrastructure page.

   Go to Dedicated infrastructure

2. Select the Exadata VM Clusters tab.

3. Click the name of the cluster.

4. On the Cluster details page, go to the Google-managed service account.

   You can view the Principal ID and the key. You can view the encryption details of your databases in the OCI console. For more information, refer to the Oracle documentation.

Rotate a key on a Exadata VM Cluster

For a database on your Exadata VM Cluster, you can rotate the key through the OCI console. Refer to the Oracle documentation.

CMEK for Autonomous Database

Enable CMEK on an Autonomous Database

When you create an Autonomous Database, it is encrypted with Oracle-managed keys by default.

To enable Google Cloud CMEK on your Autonomous Database, do the following:

1. Go to the Autonomous Database page.

   Go to Autonomous Database Service

2. Click the name of the database for which you want to configure CMEK.

3. Go to the Oracle-managed service account section.

   The service account for the Autonomous Database is managed by Oracle.

4. Copy the Principal ID.

   The Principal ID generated during provisioning is unique to the Autonomous Database and has no permissions set by default. To enable Oracle databases access to Google Cloud services, grant permissions to the principal ID by following the next steps.

5. Go to the Cloud KMS key management page.

   Go to Cloud KMS key management

6. Select the key ring to which your key belongs.

7. Select the key to grant permissions.

8. Click Add principal.

9. In the New principals field, paste the Principal ID you had copied.

10. Assign the following roles to the principal:

    • Cloud KMS CryptoKey Encrypter/Decrypter
    • Cloud KMS Viewer

11. Click Save.

12. Once again, go to the Autonomous Database page.

    Go to Autonomous Database Service

13. Click the name of your database.

14. Go to the Encryption section.

15. Click Manage.

16. Select Google Cloud customer-managed key.

17. Select your key or enter it manually.

18. Click Save.

View Autonomous Database encryption details

To view encryption details for your Autonomous Database, do the following:

1. Go to the Autonomous Database page.

   Go to Autonomous Database Service

2. Click the name of the database.

3. Go to the Encryption section.

   You can view the encryption type and the encryption key, including a link to its Cloud KMS details page.

Rotate a key on an Autonomous Database

To rotate a key for an Autonomous Database which is encrypted with Google Cloud CMEK, do the following:

1. Go to the Autonomous Database page.

   Go to Autonomous Database Service

2. Click the name of the database for which you want to rotate the key.

3. Go to the Encryption section.

4. Click Manage.

5. On the Manage encryption key page, select a new key or enter one manually.

6. Click Save.

Decrypt a resource

When you want to read an object encrypted with a CMEK, you can access the object as you normally would. During such a request, the service agent automatically decrypts the requested object as long as:

• The service agent still has permission to decrypt using the key.
• You have not disabled or destroyed the key.

If one of these conditions is not met, the service agent does not decrypt the data, and the request fails.

Enable and disable a key

You can enable a Cloud KMS key which is in the disabled state. The resource's data becomes accessible as soon as this change propagates to your resource.

To disable a Cloud KMS key, you must first switch to Oracle-managed encryption. Then, you can disable the Cloud KMS key.

For an Exadata VM Cluster, you can switch the encryption type through the OCI console. For more information, refer to the Oracle documentation.

Enabling or disabling a key can take up to three hours to propagate to your resource.

What's next

• Learn about Cloud KMS.