This page describes how to enable Google Cloud CMEK with Oracle Database@Google Cloud. Google Cloud CMEK uses Cloud Key Management Service encryption keys.
Before you begin
Ensure that the following requirements are met before enabling Google Cloud CMEK on an Oracle Database@Google Cloud resource:
- Enable the Cloud Key Management Service API for the project that will store your encryption keys. Enable the API
Have the following Identity and Access Management (IAM) permissions to work with Cloud KMS keys:
To create new encryption key rings and keys:
cloudkms.keyRings.create
cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.locations.get
To give Oracle Database@Google Cloud service accounts access to Cloud KMS keys:
cloudkms.cryptoKeys.setIamPolicy
To work with key versions:
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
The
Cloud KMS Admin
role contains the required permissions. For more information, see Cloud KMS permissions and roles.For information about how to grant roles and permissions, see Access control with IAM.
Create a Cloud KMS key ring and a key. Oracle Database@Google Cloud supports only multi-region symmetric keys.
Have sufficient permissions to work with Oracle Database@Google Cloud resources. For more information, see Oracle Database@Google Cloud predefined roles.
Workflow to enable Google Cloud CMEK
The workflow to enable Google Cloud CMEK for an Oracle Database@Google Cloud resource involves the following steps:
- Complete the prerequisites.
Create the resource for which you want to enable the CMEK:
Oracle Database@Google Cloud automatically creates a service account for your resource as a part of the provisioning process. For more information, see About Service accounts.
Grant the service account access to the key:
CMEK for Exadata VM Cluster
Enable CMEK on an Exadata VM Cluster
To enable CMEK on an Exadata VM Cluster, do the following:
Go to the Dedicated infrastructure page.
Select the Exadata VM Clusters tab.
Click the name of the cluster for which you want to enable CMEK.
Go to the Google-managed service account section and check the Status.
If the Status shows
Disconnected
, contact Customer care. If it showsConnected
and a Principal ID, proceed with the next steps.Copy the Principal ID to be used in the subsequent steps.
The Principal ID generated during provisioning is unique to the Exadata VM Cluster and has no permissions set by default. To enable Oracle databases access to Google Cloud services, grant permissions to the principal ID by following the next steps.
Go to the Cloud KMS key management page.
Select the key ring to which your key belongs.
Select the key to grant permissions.
Click Add principal.
In the New principals field, paste the Principal ID you had copied.
Assign the following roles to the principal:
Cloud KMS CryptoKey Encrypter/Decrypter
Cloud KMS Viewer
Click Save.
After completing these steps, go to your OCI console, and discover and register your keys for your database. For instructions, refer to the Oracle documentation.
View Exadata VM Cluster encryption details
To view encryption details of a Exadata VM Cluster, do the following:
Go to the Dedicated infrastructure page.
Select the Exadata VM Clusters tab.
Click the name of the cluster.
On the Cluster details page, go to the Google-managed service account.
You can view the Principal ID and the key. You can view the encryption details of your databases in the OCI console. For more information, refer to the Oracle documentation.
Rotate a key on a Exadata VM Cluster
For a database on your Exadata VM Cluster, you can rotate the key through the OCI console. Refer to the Oracle documentation.
CMEK for Autonomous Database
Enable CMEK on an Autonomous Database
When you create an Autonomous Database, it is encrypted with Oracle-managed keys by default.
To enable Google Cloud CMEK on your Autonomous Database, do the following:
Go to the Autonomous Database page.
Click the name of the database for which you want to configure CMEK.
Go to the Oracle-managed service account section.
The service account for the Autonomous Database is managed by Oracle.
Copy the Principal ID.
The Principal ID generated during provisioning is unique to the Autonomous Database and has no permissions set by default. To enable Oracle databases access to Google Cloud services, grant permissions to the principal ID by following the next steps.
Go to the Cloud KMS key management page.
Select the key ring to which your key belongs.
Select the key to grant permissions.
Click Add principal.
In the New principals field, paste the Principal ID you had copied.
Assign the following roles to the principal:
Cloud KMS CryptoKey Encrypter/Decrypter
Cloud KMS Viewer
Click Save.
Once again, go to the Autonomous Database page.
Click the name of your database.
Go to the Encryption section.
Click Manage.
Select Google Cloud customer-managed key.
Select your key or enter it manually.
Click Save.
View Autonomous Database encryption details
To view encryption details for your Autonomous Database, do the following:
Go to the Autonomous Database page.
Click the name of the database.
Go to the Encryption section.
You can view the encryption type and the encryption key, including a link to its Cloud KMS details page.
Rotate a key on an Autonomous Database
To rotate a key for an Autonomous Database which is encrypted with Google Cloud CMEK, do the following:
Go to the Autonomous Database page.
Click the name of the database for which you want to rotate the key.
Go to the Encryption section.
Click Manage.
On the Manage encryption key page, select a new key or enter one manually.
Click Save.
Decrypt a resource
When you want to read an object encrypted with a CMEK, you can access the object as you normally would. During such a request, the service agent automatically decrypts the requested object as long as:
- The service agent still has permission to decrypt using the key.
- You have not disabled or destroyed the key.
If one of these conditions is not met, the service agent does not decrypt the data, and the request fails.
Enable and disable a key
You can enable a Cloud KMS key which is in the disabled state. The resource's data becomes accessible as soon as this change propagates to your resource.
To disable a Cloud KMS key, you must first switch to Oracle-managed encryption. Then, you can disable the Cloud KMS key.
For an Exadata VM Cluster, you can switch the encryption type through the OCI console. For more information, refer to the Oracle documentation.
Enabling or disabling a key can take up to three hours to propagate to your resource.
What's next
- Learn about Cloud KMS.