Assigning Master Encryption Keys

Assign master encryption keys to supported resources and remove them when they are not needed anymore.

Instead of using an encryption key that Oracle manages, you can assign master encryption keys that you manage to block or boot volumes, databases, file systems, buckets, and stream pools. Block Volume, Database, File Storage, Object Storage, and Streaming use the keys to decrypt the data encryption keys that protect the data that is stored by each respective service. By default, these services rely on Oracle-managed master encryption keys for cryptographic operations. When you remove a Vault master encryption key assignment from a resource, the service returns to using an Oracle-managed key for cryptography.

You can also assign master encryption keys to clusters that you create using Container Engine for Kubernetes to encrypt Kubernetes secrets at rest in the etcd key-value store.

Assigning keys include the following configurations:

• Creating a Compute Instance with an Encrypted Boot Volume
• Creating a Boot Volume Encrypted with a Vault key
• Creating a Kubernetes Cluster with Encrypted Secrets
• Assigning a Key to an Object Storage Bucket
• Assigning a key to a stream pool
• Assigning a Key to a Boot Volume
• Assigning a key to a file system
• Assigning a Key to a Block Volume
• Editing a Key to a Boot Volume
• Editing a Key to a Block Volume
• Removing a Key Assignment from a Block Volume
• Removing a Key Assignment from a Object Storage

For information about managing the creation and usage of master encryption keys and key versions, see Managing Keys. For information specifically about creating keys with your own key material, see Importing Vault Keys and Key Versions. For information about how you can use keys in cryptographic operations, see Using Master Encryption Keys. For information about what you can do with vaults where you store keys, see Managing Vaults.