You can switch from Oracle-managed keys to customer-managed keys on existing databases. However, switching from customer-managed keys to Oracle-managed keys is not supported.

When a key is changed for a container database, it is also automatically applied to a pluggable database. The key of a pluggable database cannot be changed independently. The pluggable database will always use the same key as that of the container database, but they can use the same or a different key version.

When switching to customer-managed keys, the container database and all its pluggable databases must be open, and all tablespaces must be in read/write mode.

Procedure

Perform the following steps to change key management for a database in a DB system using the OCI Console:

1. On the DB Systems list page, select the DB system that contains the database that you want to work with. If you need help finding the list page or the DB system, see List the DB Systems.
2. On the Databases tab, select the database that you want to work with.
3. On the database details page, from the Actions menu, select Manage encryption key.
4. In the Manage encryption key panel, enter the following values:
   • Select Change Key Management Type.
   • Select a compartment where the key is located from the list.
   • Select a Vault from the list.
   • Select a Master encryption key from the list.
   • Optionally, to specify a key version other than the latest version of the selected key, switch on the Choose the key version toggle and enter the OCID of the key you want to use in the Key version OCID field.

     Note:

     If you do not choose a version, the latest version of the key is used.
   • Enter the TDE wallet password to access the current Oracle-managed key.
   • Select Update.