Configure your Autonomous Database with Customer-Managed Keys and Cross-Region Autonomous Data Guard

November 15, 2022 | 3 minute read
Can Tuzla
Principal Product Manager
Text Size 100%:

As you may remember, we announced customer-managed keys and cross-region Autonomous Data Guard (X-ADG) in Autonomous Database (ADB) last year. These are two highly sought-after features of ADB when it comes to security and disaster recovery. Even though our customers could use customer-managed keys along with a local ADG configuration (i.e. local standby), it was not possible to combine it with X-ADG until now. Today we are excited to announce that Autonomous Database now supports customer-managed keys with X-ADG as well!

Since both of these are already fairly well known features, we are not going to go into too much detail about them in this blog. However, if you’d like to learn more about either of them, please make sure to check out the blogs linked above. In this blog, we are going to focus on a simple use case in which we will switch our ADB from using an Oracle-managed key to a customer-managed key while it’s already configured with X-ADG. Here is our short outline for this demonstration:

  • Perform prerequisite steps
  • Switch from an Oracle-managed key to a customer-managed key

Perform prerequisite steps

There are two important prerequisite steps before using customer-managed keys along with X-ADG:

  1. Using a customer-managed key in an X-ADG configuration means that both the primary and standby databases need to have access to the master encryption key. Since the standby database is located in a remote region, we need to make sure our customer-managed key is replicated in that remote region. This is possible via the Virtual Private Vault feature of OCI Vault. See OCI Vault documentation on how to replicate your keys and vaults in a different region and what IAM policies are needed.
  2. The other prerequisite is to create a dynamic group and a policy so that our Autonomous Databases (i.e. primary and standby) can access our keys in OCI Vault.

Sample dynamic group called ctuzlaDG that covers resources in a given compartment: = 'ocid1.autonomousdatabase.oc1.iad.osbgdthsnmakytsbnjpq7n37q'

Sample policy to allow the members of ctuzlaDG to access vaults and keys in our tenancy:

Allow dynamic-group ctuzlaDG to use vaults in tenancy

Allow dynamic-group ctuzlaDG to use keys in tenancy

Switch from an Oracle-managed key to a customer-managed key

As the last step, we are going to switch to using a customer-managed key in our ADB. As noted in the info box shown in the screenshot below, if ADB is already configured with X-ADG, only the keys that are available in both primary and standby regions are listed.

Configure CMK with X-ADG

In this example, we started using a customer-managed key in an ADB that had already X-ADG configured. Similarly, we could also enable X-ADG in an instance that already uses a customer-managed key. In other words, the order of these operations does not matter. As long as we create the necessary dynamic group and policy, and make sure our key is replicated in the remote region, we can use customer-managed keys alongside X-ADG.

To summarize, a fully managed cloud service such as Autonomous Database is all about orchestration and automation of various key components such as the infrastructure, software, and operations. Offering solutions and features that seamlessly work together is one of our top priorities. With this announcement, our customers can now configure their ADB instances with customer-managed keys and cross-region Autonomous Data Guard taking full advantage of our cloud security and disaster recovery offerings.

Can Tuzla

Principal Product Manager

Can is a Principal Product Manager for Oracle Autonomous Database (ADB-S) and has been with the company since 2014. Prior to joining the ADB-S team, he worked on the Oracle Multitenant and Oracle Query Optimizer teams. Can holds a MS (Computer Science) from Case Western Reserve University and a BS (Computer Engineering) from Bilkent University.

Previous Post

How to Attach a File System to your Autonomous Database

Can Tuzla | 6 min read

Next Post

Configure your application mid-tier alongside your database for cross-region disaster recovery

Nilay Panchal | 4 min read
Everything you need to know about data warehousing with the world's leading cloud solution provider