The rotate encryption key operation generates a new key version for the same key.

You can perform any number of key rotations. Periodically rotating keys limits the amount of data encrypted or signed by one key version. The history of retired keys is also maintained, which enables you to rotate the key and still be able to decrypt data that was encrypted by an earlier key.

The rotate key at container database and pluggable database levels works independently of each other. The rotate key operation on a container database will not rotate keys in the pluggable databases. Similarly, rotating keys in one pluggable database will not rotate keys in other pluggable databases or its container database.

To ensure you are using the latest version, rotate keys from the database details page on the OCI Console instead of the Vault service's Console page.

Procedure

Perform the following steps to rotate the encryption key for a pluggable database in a DB system using the OCI Console:

1. From the navigation menu, select Oracle Database, and then select Oracle Base Database Service.
2. Select your Compartment. A list of DB systems is displayed.
3. On the DB systems list page, select the DB system that contains the pluggable database that you want to manage. The DB system details page is displayed.
4. On the DB system details page, select the database that contains the pluggable database that you want to manage. The database details page is displayed.
5. On the database details page, under Resources, select Pluggable Databases, and then select the pluggable database that you want to manage. The pluggable database details page is displayed.
6. On the pluggable database details page, from the More actions menu, select Manage encryption key.
7. Select Rotate Encryption Key.
8. Select Update.