Rotate Encryption Key for a Database
This article provides the details and procedure to rotate encryption key for a database.
The rotate encryption key operation generates a new key version for the same key.
You can perform any number of key rotations. Periodically rotating keys limits the amount of data encrypted or signed by one key version. The history of retired keys is also maintained, which enables you to rotate the key and still be able to decrypt data that was encrypted by an earlier key.
The rotate key at container database and pluggable database levels works independently of each other. The rotate key operation on a container database will not rotate keys in the pluggable databases. Similarly, rotating keys in one pluggable database will not rotate keys in other pluggable databases or its container database.
To ensure you are using the latest version, rotate keys from the database details page on the OCI Console instead of the Vault service's Console page.
Note:
Rotating the encryption keys is not available for the databases that use Oracle-managed encryption.Procedure
Perform the following steps to rotate the encryption key for a database in a DB system using the OCI Console:
- On the DB Systems list page, select the DB system that contains the database that you want to work with. If you need help finding the list page or the DB system, see List the DB Systems.
- On the Databases tab, select the database that you want to work with.
- On the database details page, from the Actions menu, select Manage encryption key.
- In the Manage encryption key panel, enter the following values: 
                           - Select Rotate Encryption Key.
- Select Update.
 
Related Topics