You can switch from Oracle-managed keys to customer-managed keys on existing databases. However, switching from customer-managed keys to Oracle-managed keys is not supported.

When a key is changed for a container database, it is also automatically applied to a pluggable database. The key of a pluggable database cannot be changed independently. The pluggable database will always use the same key as that of the container database, but they can use the same or a different key version.

When switching to customer-managed keys, the container database and all its pluggable databases must be open, and all tablespaces must be in read/write mode.

Procedure

Perform the following steps to change key management for a database in a DB system using the OCI Console:

1. From the navigation menu, select Oracle Database, and then select Oracle Base Database Service.
2. Select your Compartment. A list of DB systems is displayed.
3. On the DB systems list page, select the DB system that contains the database that you want to manage. The DB system details page is displayed.
4. On the DB system details page, select the database that you want to manage. The database details page is displayed.
5. On the database details page, from the More actions menu, select Manage encryption key.
6. Select Change Key Management Type.
7. Select a Vault from the list.
8. Select a Master encryption key from the list.
9. Optionally, to specify a key version other than the latest version of the selected key, switch on the Choose the key version toggle and enter the OCID of the key you want to use in the Key version OCID field.

   Note:

   If you do not choose a version, the latest version of the key is used.
10. Enter the TDE wallet password to access the current Oracle-managed key.
11. Select Update.