Google Cloud Key Management Integration for Exadata Database Service on Oracle Database@Google Cloud
Exadata Database Service on Oracle Database@Google Cloud now supports integration with Google Cloud Platform's Key Management Service (KMS).
This enhancement allows users to manage Transparent Data Encryption (TDE) master encryption keys (MEKs) using GCP Customer-Managed Encryption Keys (CMEKs).
Previously, Transparent Data Encryption (TDE) master encryption keys (MEKs) could only be stored in a file-based Oracle Wallet, Oracle Cloud Infrastructure (OCI) Vault, or Oracle Key Vault (OKV).. With this update, users can now store and manage MEKs directly in GCP KMS, providing improved key lifecycle control and alignment with organization-specific security policies.
This integration enables applications, Google Cloud services, and databases to benefit from a centralized key management solution that offers enhanced security and simplified key lifecycle management.
- Prerequisites
Before configuring GCP Customer Managed Encryption Keys (CMEK) as the key management service for your databases, ensure the following prerequisites are met. - Using the Console to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Learn how to manage GCP KMS integration for Exadata Database Service on Oracle Database@Google Cloud. - Using the API to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Parent topic: How-to Guides
Prerequisites
Before configuring GCP Customer Managed Encryption Keys (CMEK) as the key management service for your databases, ensure the following prerequisites are met.
- Provision an Exadata VM Cluster via the Google Cloud console. See Provisioning an Exadata VM Cluster for Google Cloud for step-by-step instructions.
- Review the Identity Connector connection to ensure it is correctly configured and active. For more information, see Verify the Default Identity Connector Attached to the VM Cluster.
- Prerequisites for Configuring GCP Customer Managed Encryption Keys (CMEK) at the Exadata VM Cluster Level.
To enable Google Cloud Platform (GCP) Customer Managed Encryption Keys (CMEK) for databases deployed with Exadata Database Service on Oracle Database@Google Cloud, you must configure CMEK as the key management option at the VM cluster level. Once CMEK is enabled, all database encryption and decryption operations will use the specified GCP-managed key.
Before enabling CMEK, ensure that:- The required GCP key rings and encryption keys are already created in GCP.
- These keys are mirrored as anchor resources in Oracle Cloud Infrastructure (OCI), ensuring synchronization between GCP and OCI.
- The anchor resources are in place for database provisioning and for managing the encryption key lifecycle, including key rotation, revocation, and auditing.
- IAM Policy Requirements for Accessing GCP Key Resources.
The database uses the cluster resource principal to securely retrieve GCP key resources. To enable this functionality, you must define the appropriate IAM policies in your OCI tenancy.
Read-Only Access to Oracle GCP Keys:Allow any-user to read oracle-db-gcp-keys in compartment id <your-compartment-OCID> where all { request.principal.type = 'cloudvmcluster',}
This policy grants read-only access to GCP key resources for the VM cluster resource principal.
Using the Console to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Learn how to manage GCP KMS integration for Exadata Database Service on Oracle Database@Google Cloud.
- To create a cloud VM cluster resource
Create a VM cluster in an Exadata Cloud Infrastructure instance. - Verify the Default Identity Connector Attached to the VM Cluster
To view the details of an identity connector attached to a VM cluster, use this procedure. - Create a Key Ring in Google Cloud Console
To create a key ring, use this procedure. - Create a Key in Google Cloud Console
To create a raw symmetric encryption key in the specified key ring and location, use this procedure. - Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI)
To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure. - Register GCP Key Ring in Oracle Cloud Infrastructure (OCI)
To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI. - Enable or Disable Google Cloud Key Management
To enable GCP CMEK for your Exadata VM Cluster, use this procedure. - Create a Database and Use GCP Customer-Managed Encryption Key (CMEK) as the Key Management Solution
This topic describes only the steps for creating a database and using GCP Customer-managed encryption key (CMEK) as the key management solution. - Change the Key Management from Oracle Wallet to GCP Customer Managed Encryption Key (CMEK)
To change encryption keys between different encryption methods, use this procedure. - Rotate the GCP Customer Managed Encryption Key of a Container Database (CDB)
To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure. - Rotate the GCP Customer Managed Encryption Key of a Pluggable Database (PDB)
To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.
To create a cloud VM cluster resource
Create a VM cluster in an Exadata Cloud Infrastructure instance.
To create a cloud VM cluster in an Exadata Cloud Infrastructure instance, you must have first created a Cloud Exadata infrastructure resource.
Multi-VM enabled Infrastructure will support creating multiple VM Clusters. Infrastructures created before the feature Create and Manage Multiple Virtual Machines per Exadata System (MultiVM) and VM Cluster Node Subsetting was released only support creating a single cloud VM cluster.
When you provision an Exadata VM cluster in Exadata Database Service on Oracle Database@Google Cloud, an Identity Connector is automatically created and associated with the VM cluster.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
- Under Oracle Exadata Database
Service on Dedicated Infrastructure, click Exadata VM
Clusters.
Note
Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure. - Click Create Exadata VM Cluster.
The Create Exadata VM Cluster page is displayed. Provide the required information to configure the VM cluster.
- Compartment: Select a compartment for the VM cluster resource.
- Display name: Enter a user-friendly display name for the VM cluster. The name doesn't need to be unique. An Oracle Cloud Identifier (OCID) will uniquely identify the VM cluster. Avoid entering confidential information.
- Select Exadata infrastructure: Select the infrastructure
resource that will contain the VM cluster. You must choose an infrastructure
resource that has enough resources to create a new VM cluster. Click
Change Compartment and pick a different compartment from
the one you are working in to view infrastructure resources in other
compartments.
Note
Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure - VM Cluster Type:Note
You cannot change the VM cluster type after deploying the VM cluster. If you wish to change the VM cluster type, you must create a new VM cluster and migrate the database to the new cluster.
- Exadata Database: Standard Database VM with no restrictions, suitable for all workloads.
- Exadata Database-Developer: Developer Database VM with restrictions, suitable for application development only.
- Choose the Oracle Grid Infrastructure version: From the
list, choose the Oracle Grid Infrastructure release (19c and 23ai) that you want to
install on the VM cluster.
The Oracle Grid Infrastructure release determines the Oracle Database releases that can be supported on the VM cluster. You cannot run an Oracle Database release that is later than the Oracle Grid Infrastructure software release.
Note
Minimum requirements for provisioning a VM Cluster with Grid Infrastructure 23ai:- Exadata Guest VM running Exadata System Software 23.1.8
- Exadata Infrastructure running Exadata System Software 23.1.x
- Choose an Exadata image version:
- Exadata infrastructure with Oracle Linux 7 and
Exadata image version 22.1.10.0.0.230422:
- The Change image button is not enabled.
- The Oracle Grid Infrastructure version defaults to 19.0.0.0.0.
- The Exadata guest version will be the same as that of the host OS.
- Exadata infrastructure with Oracle Linux 8 and
Exadata image version 23.1.3.0.0.230613:
- The Exadata guest version defaults to the latest (23.1.3.0).
- The Oracle Grid Infrastructure version defaults to 19.0.0.0.0
- The Change image button is enabled.
- Click Change image.
The resulting Change image panel displays the list of available major versions of Exadata image (23.1.3.0 and 22.1.3.0).
The most recent release for each major version is indicated by "(latest)".
- Slide Display all available
versions.
Six past versions including the latest versions of Exadata images 23.1.3.0 and 22.1.3.0 are displayed.
- Choose a version.
- Click Save Changes.
- Exadata infrastructure with Oracle Linux 7 and
Exadata image version 22.1.10.0.0.230422:
- Configure the VM cluster: Specify the DB servers to used for new VM cluster (by default all DB Servers are selected). Click Select DB Servers to select from the available DB servers, and then click Save.
VM Cluster Type - Exadata Database: Select a minimum of one database server for VM placement. If you require a high availability database service that remains available during maintenance and unplanned outages, select at least two database servers. Maximum resources available for allocation per VM are based on the number of database servers selected.
VM Cluster Type - Exadata Database-Developer: Select one database server for VM placement. Only one database server may be selected.
In the Resource allocation per VM pane:
- Specify the number of OCPU/ECPU you want to allocate to each of the VM cluster's virtual machine compute nodes. For VM clusters created on X11M Exadata infrastructure specify ECPUs. For VM Clusters created on X10M and earlier Exadata infrastructure, specify OCPUs. The minimum is 2 OCPU per VM for X10M and earlier infrastructure or 8 ECPUs per VM for VM clusters created on X11M Exadata infrastructure. The read-only Requested OCPU count for the Exadata VM cluster field displays the total number of OCPU or ECPU cores you are allocating.
- Specify the Memory per VM to allocate to each VM. The minimum per VM is 30 GB.
- Specify the Local Storage per VM to allocate local storage to each VM. The minimum per VM is 60 GB.
Each time when you create a new VM cluster, the space remaining out of the total available space is utilized for the new VM cluster.
In addition to
/u02
, you can specify the size of additional local file systems.For more information and instructions to specify the size for each individual VM, see Introduction to Scale Up or Scale Down Operations.
- Click Show additional local file systems configuration options.
- Specify the size of
/
,/u01
,/tmp
,/var
,/var/log
,/var/log/audit
, and/home
file systems as needed.Note
- You can only expand these file systems and cannot reduce the size once expanded.
- Due to backup partitions and mirroring, the
/
and/var
file systems will consume twice the space they were allocated, which is indicated in the read-only Total allocated storage for / (GB) due to mirroring and Total allocated storage for /tmp (GB) due to mirroring fields.
- After creating the VM Cluster, check the Exadata Resources section on the Exadata Infrastructure Details page to check the file size allocated to the local storage (
/u02
) and local storage (additional file systems).
-
Configure Exadata storage: Specify the following:
- Specify the usable Exadata storage TB. Specify the storage in multiples of 1 TB. Minimum: 2 TB
- Allocate storage for Exadata sparse snapshots:
Select this configuration option if you intend to use
snapshot functionality within your VM cluster. If you select this
option, the SPARSE disk group is created, which enables you to use VM
cluster snapshot functionality for PDB sparse cloning. If you do not
select this option, the SPARSE disk group is not created and snapshot
functionality will not be available on any database deployments that are
created in the environment.
Note
The storage configuration option for sparse snapshots cannot be changed after VM cluster creation. -
Allocate storage for local backups: Select this
option if you intend to perform database backups to the local Exadata
storage within your Exadata Cloud Infrastructure instance. If you select this option, more space
is allocated to the RECO disk group, which is used to store backups on
Exadata storage. If you do not select this option, more space is
allocated to the DATA disk group, which enables you to store more
information in your databases.
Note
The storage configuration option for local backups cannot be changed after VM cluster creation.
- Add SSH key: Add the public key portion of each key pair you want to use for SSH access to the VM cluster:
- Generate SSH key pair (Default option) Select this radio button to generate an SSH keypair. Then in the dialog below click Save private key to download the key, and optionally click Save public key to download the key.
- Upload SSH key files: Select this radio button to browse or drag and drop .pub files.
- Paste SSH keys: Select this radio button to paste in individual public keys. To paste multiple keys, click + Another SSH Key, and supply a single key for each entry.
- Configure the network settings: Specify the following:
Note
IP addresses (100.64.0.0/10) are used for Exadata Cloud Infrastructure X8M interconnect.You do not have the option to choose between IPv4 (single stack) and IPv4/IPv6 (dual stack) if both configurations exist. For more information, see VCN and Subnet Management.
- Virtual cloud network: The VCN in which you want to create the VM cluster. Click Change Compartment to select a VCN in a different compartment.
- Client subnet: The subnet to which the VM cluster should attach. Click Change Compartment to select a subnet in a different compartment.
Do not use a subnet that overlaps with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance. Specifying an overlapping subnet causes the private interconnect to malfunction.
- Backup subnet: The subnet to use for the backup network, which is typically used to transport backup information to and from the Backup Destination, and for Data Guard replication. Click Change Compartment to select a subnet in a different compartment, if applicable.
Do not use a subnet that overlaps with 192.168.128.0/20. This restriction applies to both the client subnet and backup subnet.
If you plan to back up databases to Object Storage or Autonomous Recovery service, see the network prerequisites in Managing Exadata Database Backups.
Note
In case Autonomous Recovery Service is used, a new dedicated subnet is highly recommended. Review the network requirements and configurations required to backup your Oracle Cloud databases to Recovery Service. See, Configuring Network Resources for Recovery Service. - Network Security Groups: Optionally, you can specify one or more network security groups (NSGs) for both the client and backup networks. NSGs function as virtual firewalls, allowing you to apply a set of ingress and egress security rules to your Exadata Cloud Infrastructure VM cluster. A maximum of five NSGs can be specified. For more information, see Network Security Groups and Network Setup for Exadata Cloud Infrastructure Instances.
Note that if you choose a subnet with a security list, the security rules for the VM cluster will be a union of the rules in the security list and the NSGs.
To use network security groups:
- Check the Use network security groups to control traffic check box. This box appears under both the selector for the client subnet and the backup subnet. You can apply NSGs to either the client or the backup network, or to both networks. Note that you must have a virtual cloud network selected to be able to assign NSGs to a network.
- Specify the NSG to use with the network. You might need to use more than one NSG. If you're not sure, contact your network administrator.
- To use additional NSGs with the network, click +;Another Network Security Group.
Note
To provide your cloud VM Cluster resources with additional security, you can use Oracle Cloud Infrastructure Zero Trust Packet Routing to ensure that only resources identified with security attributes have network permissions to access your resources. Oracle provides Database policy templates that you can use to assist you with creating policies for common database security use cases. To configure it now, you must already have created security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. Click Show Advanced Options at the end of this procedure.
Be aware that when you provide security attributes for a cluster, as soon as it is applied, all resources require a Zero Trust Packet policy to access the cluster. If there is a security attribute on an endpoint, then it must satisfy both network security group (NSG) and Oracle Cloud Infrastructure Zero Trust Packet Routing policy (OCI ZPR) rules.
- To use private DNS ServiceNote
A Private DNS must be configured before it can be selected. See "Configure Private DNS"- Check the Use private DNS Service check box.
- Select a private view. Click Change Compartment to select a private view in a different compartment.
- Select a private zone. Click Change Compartment to select a private zone in a different compartment.
- Hostname prefix: Your choice of hostname for the Exadata VM cluster. The host name must begin with an alphabetic character and can contain only alphanumeric characters and hyphens (-). The maximum number of characters allowed for an Exadata VM cluster is 12.
Caution:
The hostname must be unique within the subnet. If it is not unique, the VM cluster will fail to provision. - Host domain name: The domain name for the VM cluster. If the selected subnet uses the Oracle-provided Internet and VCN Resolver for DNS name resolution, this field displays the domain name for the subnet and it can't be changed. Otherwise, you can provide your choice of the domain name. Hyphens (-) are not permitted.
If you plan to store database backups in Object Storage or Autonomous Recovery service, Oracle recommends that you use a VCN Resolver for DNS name resolution for the client subnet because it automatically resolves the Swift endpoints used for backups.
- Host and domain URL: This read-only field combines the host and domain names to display the fully qualified domain name (FQDN) for the database. The maximum length is 63 characters.
- Choose a license type: The type of license you want to use for the VM cluster. Your choice affects metering for billing.
- License Included means the cost of the cloud service includes a license for the Database service.
- Bring Your Own License (BYOL) means you are an Oracle Database customer with an Unlimited License Agreement or Non-Unlimited License Agreement and want to use your license with Oracle Cloud Infrastructure. This removes the need for separate on-premises licenses and cloud licenses.
- Diagnostics Collection: By enabling diagnostics
collection and notifications, Oracle Cloud Operations and you will be able to
identify, investigate, track, and resolve guest VM issues quickly and effectively.
Subscribe to Events to get notified about resource state changes.
Note
You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt out of this feature at any time.- Enable Diagnostic Events: Allow Oracle to collect and publish critical, warning, error, and information events to me.
- Enable Health Monitoring: Allow Oracle to collect health metrics/events such as Oracle Database up/down, disk space usage, and so on, and share them with Oracle Cloud operations. You will also receive notification of some events.
- Enable Incident Logs and Trace Collection: Allow Oracle to collect incident logs and traces to enable fault diagnosis and issue resolution.
Note
You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt-out of this feature at any time.All three checkboxes are selected by default. You can leave the default settings as is or clear the checkboxes as needed. You can view the Diagnostic Collection settings on the VM Cluster Details page under General Information >> Diagnostics Collection.- Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files (all three options).
- Disabled: When you choose not to collect diagnostics, health metrics, incident logs, and trace files (all three options).
- Partially Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files ( one or two options).
- Click Show Advanced Options to specify advanced options for the VM cluster:
-
Time zone: This option is located in the Management tab. The default time zone for the VM cluster is UTC, but you can specify a different time zone. The time zone options are those supported in both the
Java.util.TimeZone
class and the Oracle Linux operating system.Note
If you want to set a time zone other than UTC or the browser-detected time zone, and if you do not see the time zone you want, try selecting the Select another time zone, option, then selecting "Miscellaneous" in the Region or country list and searching the additional Time zone selections.
- SCAN Listener Port: This option is located in the Network tab. You can assign a SCAN listener port (TCP/IP) in the range between 1024 and 8999. The default is 1521.
Note
Manually changing the SCAN listener port of a VM cluster after provisioning using the backend software is not supported. This change can cause Data Guard provisioning to fail. - Zero Trust Packet Routing (ZPR): This option is located in the Security attributes tab. Select a namespace, and provide the key and value for the security attribute. To complete this step during configuration, you must already have set up security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. You can also add security attributes after configuration, and add them later. For more information about adding Oracle Exadata Database Service on Dedicated Infrastructure specific policies, see Policy Template Builder.
- Cloud Automation Update: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. You can configure your preferred time window for these updates to be applied to your VM Cluster.
Set the start time for cloud automation updates.
Note
Oracle will check for latest VM Cloud Automation updates every day between the configured time window and apply updates when applicable. If automation is unable to start applying updates within the configured time window due to some underlying long running process, Oracle will automatically check the following day during the configured time window to start applying cloud automation updates to the VM Cluster.Enable early access for cloud tools update: VM clusters designated for early access receive updates 1-2 weeks before they are available to other systems. Check this check box if you want early adoption for this VM cluster.
Cloud Automation Update Freeze Period: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. Enable a freeze period to define a time window during which Oracle automation will not apply cloud updates.
Move the slider to set the freeze period.
Note
- The freeze period can extend for a maximum of 45 days from the start date.
- Oracle automation will automatically apply updates with critical security fixes (CVSS >= 9) even during a configured freeze period.
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
-
- Click Create.
WHAT NEXT?
- You can view the VM Cluster Details page by clicking the name of the VM cluster in the list of clusters. From the VM Cluster Details page, you can create your first database in the cluster by clicking Create Database
- The SCAN IP address (IPv4) and SCAN IP address (IPv6) fields in the Network section on the VM Cluster Details page displays the dual stack IP address details.
- The Cloud Automation Update field in the Version section on the VM Cluster Details page displays the freeze period you have set.
Related Topics
- Network Security Groups
- Network Setup for Exadata Cloud Infrastructure Instances
- Security Lists
- Configure Private DNS
- Resource Tags
- To create a database in an existing VM Cluster
- Oracle Cloud Infrastructure Zero Trust Packet Routing
- Getting Started with Events
- Overview of Database Service Events
- Overview of Automatic Diagnostic Collection
Verify the Default Identity Connector Attached to the VM Cluster
To view the details of an identity connector attached to a VM cluster, use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Click the name of the VM cluster of your choice.
- On the resulting VM Cluster Details page, in the Multicloud Information section, confirm that the Identity connector field displays the identity connector attached to this VM cluster.
- Click the name of the Identity Connector to view its details.
You will be redirected to the Database Multicloud Integrations portal.
Create a Key Ring in Google Cloud Console
To create a key ring, use this procedure.
- Open the Google Cloud Console, navigate to the Key Management page.
- Click Create key ring.
- Provide the following details:
- Name: Enter a descriptive name for the key ring.
- Location: Select a location for your key ring.
Important:
- Key rings with the same name can exist in different locations, so you must always specify the location.
- Choose a location close to the resources you want to protect.
- For Customer Managed Encryption Keys, ensure the key ring is in the same location as the resources that will use it.
Choosing a location for your Key Ring:
When creating a key ring in Google Cloud Key Management Service (KMS), selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.
- Region:
- Data is stored in a specific geographic region.
- Keys remain within the boundaries of this single region.
- Ideal for:
- Low-latency applications
- Compliance with data residency requirements
- Region-specific workloads
- Multi-region:
- Data is replicated across multiple regions within a larger geographical area.
- Google manages distribution and replication automatically.
- You cannot select individual data centers or regions.
- Ideal for:
- High availability
- Resilient, fault-tolerant applications
- Services serving a wide regional area
- Global:
- A special type of multi-region.
- Keys are distributed across Google data centers worldwide.
- Location selection and control are not available.
- Ideal for:
- Applications with global users
- Use cases needing maximum redundancy and reach
- Click Create.
Once the key ring is created, you can begin creating and managing encryption keys within it.
Create a Key in Google Cloud Console
To create a raw symmetric encryption key in the specified key ring and location, use this procedure.
- Open the Google Cloud Console, navigate to the Key Management page.
- Click the name of the key ring where you want to create the key.
- Click Create key.
- Provide the following details:
- Key name: Enter a descriptive name for your key.
- Protection level: Choose Software or HSM (Hardware Security Module).
The protection level of a key can't be changed after the key is created. For more information, see Protection levels.
- Key material: Select Generate key or Import key.
Generate key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed encryption keys (CMEK).
- Purpose and Algorithm:
For more information, see Key purposes and algorithms.
- Set Purpose to Raw encryption/decryption.
- For Algorithm, select AES-256-CBC.
- Click Create.
After creation, you can use this key for cryptographic operations that require AES-CBC encryption and decryption.
Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI)
To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure.
- In Google Cloud KMS, select the key you want to make discoverable.
- Navigate to the Permissions tab and click Add principal.
- In the New principals field, enter the service account associated with your Workload Resource Service Agent.
Note
You can find this service account on the Identity Connector details page, under the GCP Information section. Look for the Workload resource service agent and note its ID — this is the required service account.
- Under Assign roles, add a role of your choice.
Note
Create a custom role with the following minimum permissions and assign it to the key ring of your choice.
These permissions together allow OCI to:
- Discover KMS resources like key rings and keys.
- Access metadata about keys and their versions.
- Use the keys for cryptographic operations (encryption/decryption).
- Create key versions.
Minimum Required Permissions:
cloudkms.cryptoKeyVersions.get
Allows retrieval of metadata for a specific key version.
cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
Enables management of raw AES-CBC key material (import, rotation, etc.).
cloudkms.cryptoKeyVersions.create
Allows creation of new key versions within a key.
cloudkms.cryptoKeyVersions.list
Lists all versions of a given key.
cloudkms.cryptoKeyVersions.useToDecrypt
Grants permission to use a key version for decrypting data.
cloudkms.cryptoKeyVersions.useToEncrypt
Grants permission to use a key version for encrypting data.
cloudkms.cryptoKeys.get
Allows retrieval of metadata for a key.
cloudkms.cryptoKeys.list
Lists all keys within a key ring.
cloudkms.keyRings.get
Allows retrieval of metadata for a key ring.
cloudkms.locations.get
Retrieves information about supported key locations.
- Click Save to apply the changes.
- Click Refresh to confirm that the updated permissions have taken effect.
Register GCP Key Ring in Oracle Cloud Infrastructure (OCI)
To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI.
Before proceeding, ensure that the permissions outlined in Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI) have been granted.
- In the Database Multicloud Integrations portal, navigate to: Google Cloud Integration > GCP Key Rings.
- Click GCP Key Ring,
- Click Register GCP key rings
- On the resulting Register GCP key rings page, provide the following details:
- Compartment: Select the compartment where the VM cluster resides.
- Identity Connector: Choose the Identity Connector attached to the VM cluster.
- Key Ring: Enter the name of the GCP key ring to register.
To discover all available key rings through a single identity connector, you must grant the following permissions to that identity connector. These permissions should be assigned at the appropriate project or folder level to ensure the connector can access all key rings across the intended scope.
cloudkms.keyRings.list
Allows listing all key rings within a project.
cloudkms.locations.get
Allows retrieving metadata for a specific key ring.
- Click Discover to verify if the key ring exists in GCP.
If successful, the key ring’s details will be displayed.
Note
Only key rings can be registered — not individual keys. All supported keys associated with a registered key ring will be available, provided the required permissions are in place.
- Click Register.
Enable or Disable Google Cloud Key Management
To enable GCP CMEK for your Exadata VM Cluster, use this procedure.
When you provision an Exadata VM Cluster, GCP CMEK is disabled by default.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Select the name of the VM cluster you want to configure.
- On the VM Cluster Details page, scroll to the Multicloud Information section and click Enable next to GCP CMEK.
- To disable GCP CMEK, click Disable.
Create a Database and Use GCP Customer-Managed Encryption Key (CMEK) as the Key Management Solution
This topic describes only the steps for creating a database and using GCP Customer-managed encryption key (CMEK) as the key management solution.
For the generic database creation procedure, see To create a database in an existing VM Cluster.
Prerequisites
- Enable Google Cloud Key Management at the VM cluster level.
- Register the GCP key rings in OCI.
Steps
If Google Cloud Key Management is enabled at the VM cluster, you will have two key management options: Oracle Wallet and GCP Customer Managed Encryption Key.
- In the Encryption section, choose GCP Customer Managed Encryption Key.
- Select a registered Key ring available in your compartment. Note
- Only registered key rings are listed.
- If your desired key ring is not visible, it may not have been registered yet. Click Register Key Rings to discover and register it.
For detailed instructions, refer to Register GCP Key Ring in Oracle Cloud Infrastructure (OCI).
- Select the key within the selected key ring in your compartment.
Change the Key Management from Oracle Wallet to GCP Customer Managed Encryption Key (CMEK)
To change encryption keys between different encryption methods, use this procedure.
- You cannot migrate from GCP Customer Managed Encryption Key to Oracle Wallet.
- Your database will experience a brief downtime while the key management configuration is being updated.
- Navigate to your database details page in the OCI console.
- In the Encryption section, verify that Key management is set to Oracle Wallet, and then click the Change link.
- Enter the following information on the Change key management page.
- Select your Key management as GCP Customer Managed Encryption Key from the drop-down list.
- Select the compartment you are using, and then choose the Key Ring available in that compartment.
- Next, select the Key compartment you are using, and then choose the desired Key from the drop-down list.
- Click Save changes.
Rotate the GCP Customer Managed Encryption Key of a Container Database (CDB)
To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
- Click Databases.
- Click the name of the database that you want to rotate encryption keys.
The Database Details page displays information about the selected database.
- In the Encryption section, verify that the Key Management is set to GCP Customer Managed Encryption Key, and then click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Rotate the GCP Customer Managed Encryption Key of a Pluggable Database (PDB)
To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
- Under Databases, find the database containing the PDB you want to rotate encryption keys.
- Click the name of the database to view the Database Details page.
- Click Pluggable Databases in the Resources section of the page.
A list of existing PDBs in this database is displayed.
- Click the name of the PDB that you want to rotate encryption keys.
The pluggable details page is displayed.
- In the Encryption section displays that the Key management is set as GCP Customer Managed Encryption Key.
- Click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Using the API to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
The following resources will be made available to customers through OCI SDK, CLI, and Terraform. These APIs will be used by customers who wish to integrate Oracle Database on Exadata with Google Cloud Services.
Table 5-11 OracleDbGcpIdentityConnectors
API | Description |
---|---|
ListOracleDbGcpIdentityConnectors |
Lists all GCP Identity Connector resources based on the specified filters. |
GetOracleDbGcpIdentityConnector |
Retrieves detailed information about a specific GCP Identity Connector resource. |
CreateOracleDbGcpIdentityConnector |
Creates a new GCP Identity Connector resource for the specified ExaDB-D VM Cluster. |
UpdateOracleDbGcpIdentityConnector |
Updates the configuration details of an existing GCP Identity Connector resource. |
ChangeOracleDbGcpIdentityConnectorCompartment |
Moves the GCP Identity Connector resource to a different compartment. |
DeleteOracleDbGcpIdentityConnector |
Deletes the specified GCP Identity Connector resource. |
Table 5-12 OracleDbGcpKeyRings
API | Description |
---|---|
ListOracleDbGcpKeyRings |
Lists all GCP Key Ring resources based on the specified filters. |
CreateOracleDbGcpKeyRing |
Creates a new GCP Key Ring resource. |
ChangeOracleDbGcpKeyRingCompartment |
Moves the GCP Key Ring resource to a different compartment. |
RefreshOracleDbGcpKeyRing |
Refreshes the details of a GCP Key Ring resource. |
GetOracleDbGcpKeyRing |
Retrieves detailed information about a specific GCP Key Ring resource. |
UpdateOracleDbGcpKeyRing |
Updates the configuration details of an existing GCP Key Ring resource. |
DeleteOracleDbGcpKeyRing |
Deletes the specified GCP Key Ring resource. |
Table 5-13 OracleDbGcpKeyKeys
API | Description |
---|---|
ListOracleDbGcpKeys |
Lists all GCP Key Ring resources based on the specified filters. |
GetOracleDbGcpKey |
Retrieves detailed information about a specific GCP Key resource. |