As you may remember, we announced customer-managed keys and cross-region Autonomous Data Guard (X-ADG) in Autonomous Database (ADB) last year. These are two highly sought-after features of ADB when it comes to security and disaster recovery. Even though our customers could use customer-managed keys along with a local ADG configuration (i.e. local standby), it was not possible to combine it with X-ADG until now. Today we are excited to announce that Autonomous Database now supports customer-managed keys with X-ADG as well!
Since both of these are already fairly well known features, we are not going to go into too much detail about them in this blog. However, if you’d like to learn more about either of them, please make sure to check out the blogs linked above. In this blog, we are going to focus on a simple use case in which we will switch our ADB from using an Oracle-managed key to a customer-managed key while it’s already configured with X-ADG. Here is our short outline for this demonstration:
There are two important prerequisite steps before using customer-managed keys along with X-ADG:
Sample dynamic group called ctuzlaDG that covers resources in a given compartment:
resource.compartment.id = 'ocid1.autonomousdatabase.oc1.iad.osbgdthsnmakytsbnjpq7n37q'
Sample policy to allow the members of ctuzlaDG to access vaults and keys in our tenancy:
Allow dynamic-group ctuzlaDG to use vaults in tenancy
Allow dynamic-group ctuzlaDG to use keys in tenancy
As the last step, we are going to switch to using a customer-managed key in our ADB. As noted in the info box shown in the screenshot below, if ADB is already configured with X-ADG, only the keys that are available in both primary and standby regions are listed.
In this example, we started using a customer-managed key in an ADB that had already X-ADG configured. Similarly, we could also enable X-ADG in an instance that already uses a customer-managed key. In other words, the order of these operations does not matter. As long as we create the necessary dynamic group and policy, and make sure our key is replicated in the remote region, we can use customer-managed keys alongside X-ADG.
To summarize, a fully managed cloud service such as Autonomous Database is all about orchestration and automation of various key components such as the infrastructure, software, and operations. Offering solutions and features that seamlessly work together is one of our top priorities. With this announcement, our customers can now configure their ADB instances with customer-managed keys and cross-region Autonomous Data Guard taking full advantage of our cloud security and disaster recovery offerings.
Can is a Principal Product Manager for Oracle Autonomous Database (ADB-S) and has been with the company since 2014. Prior to joining the ADB-S team, he worked on the Oracle Multitenant and Oracle Query Optimizer teams. Can holds a MS (Computer Science) from Case Western Reserve University and a BS (Computer Engineering) from Bilkent University.