Oracle Exam 1Z0-931-25 Topic 5 Question 12 Discussion

Autonomous Database on Dedicated Infrastructure supports customer-managed encryption (CME) keys for enhanced security control. The correct vaults are:

Oracle Key Vault, Oracle Cloud Infrastructure Vault (D):

Oracle Key Vault (OKV): A centralized key management solution designed for Oracle environments, OKV securely stores and manages encryption keys. It integrates with Autonomous Database to provide customer-managed TDE (Transparent Data Encryption) keys, offering features like key rotation and auditing. For example, a DBA might upload a master encryption key to OKV, which the database then uses to encrypt data at rest.

Oracle Cloud Infrastructure Vault (OCI Vault): OCI Vault is a general-purpose secrets management service in OCI, capable of storing encryption keys, passwords, and other sensitive data. It supports storing TDE keys for Autonomous Database, providing a cloud-native option with high availability and scalability. You might store a key in OCI Vault and link it to your database via the OCI console.

The incorrect options are:

Oracle Audit Vault, Oracle Key Vault (A): Oracle Audit Vault is for audit log management and analysis, not key storage. It doesn't support CME for Autonomous Database.

Oracle Cloud Infrastructure Vault, Oracle Database Vault (B): Oracle Database Vault enforces access controls within the database but isn't a key storage vault; it's about privilege management, not key management.

Oracle Database Vault, Oracle Key Vault (C): As above, Database Vault isn't a key storage solution, making this pairing incorrect.

Both OKV and OCI Vault offer robust security for CME, giving customers flexibility based on their infrastructure preferences (on-premises OKV vs. cloud-based OCI Vault).