Oracle Cloud Infrastructure Documentation

Using Encryption Keys

Find out how to use encryption keys to help secure Big Data Service.

Describes how to use customer-managed encryption keys with Big Data Service clusters, and if you're using customer-managed encryption keys, how to update encryption after rotating the key, switch to another customer-managed encryption key, or switch to Oracle-managed encryption keys.

About Encryption Key Management on Big Data Service Clusters

The Big Data Service provides the following encryption options:

  • Oracle-managed encryption keys
  • Customer-managed encryption keys

To create a Big Data Service cluster using KMS key complete the following.

  1. Create vault, and then create encryption key in the vault in your tenancy. See To create a new vault and To create a new master encryption key .
  2. Create IAM policies around KMS key. See Creating IAM Policies for Block Storage Encryption using KMS key and Creating IAM Policies for Object Storage Encryption using KMS key.
  3. Create Big Data Service cluster selecting the KMS key. See Creating a Cluster.

Oracle-Managed Encryption Keys

By default cluster use Oracle-managed encryption keys. Using Oracle-managed keys, Big Data Service creates and manages the encryption keys that protect your cluster.

Prerequisites to Use Customer-Managed Encryption Keys with Big Data Service Clusters

Perform these prerequisite steps to use customer-managed keys with Big Data Service.
  1. Create an Oracle Cloud Infrastructure Vault.
    1. Open the Oracle Cloud Infrastructure Console.
    2. Under Identity & Security, click Vault.
    3. Select an existing Vault or create a Vault.

      For more details, see the instructions for creating a vault, To create a new vault .

  2. Create a Master Encryption Key in the Vault.
    Note

    You must use these options when you create the key:
    • Key Shape: Algorithm: AES (Symmetric key used for Encrypt and Decrypt)
    • Key Shape: Length: 256 bits

    For more information, see To create a new master encryption key and Overview of Key Management.

  3. Write policy statements:
    1. In the Oracle Cloud Infrastructure Console, click Identify & Security, and then click Policies.
    2. To write policies for a dynamic group, click Create policy, and then enter a Name and a Description.
    3. Use the Policy Builder to create a policy.

    See Getting Started with Policies for more information on policies. For information on policies specific to encryption, see Creating IAM Policies for Block Storage Encryption using KMS key and Creating IAM Policies for Object Storage Encryption using KMS key.