🔒 Oracle Autonomous Database Serverless: Now Supports Customer-Managed Keys for Refreshable Clones

Oracle continues to expand its enterprise-grade security and data sovereignty features in the cloud. As of July 2025, Autonomous Database Serverless now supports customer-managed keys (CMKs) when creating refreshable clones—offering customers greater control over encryption and compliance.

What’s new?

Traditionally, refreshable clones in Autonomous Database Serverless were encrypted using Oracle-managed keys (OMK). With the new enhancement:

✅ You can now create a refreshable clone of a database that is encrypted with a customer-managed key stored in Oracle Cloud Infrastructure (OCI) Vault.

✅ The clone will use the same CMK as the source database, ensuring consistent encryption policies across both environments.

This update adds an important capability for customers who rely on refreshable clones for reporting, dev/test, disaster recovery, or data warehousing workflows.

Why this matters

Many enterprises operate under strict compliance mandates that require:

• Full control over data encryption keys.

• The ability to rotate, disable, or revoke keys based on business or regulatory needs.

• Clear separation of duties between infrastructure providers and data owners.

By extending CMK support to refreshable clones, Oracle helps businesses:

• Maintain end-to-end encryption control across production and cloned databases.

• Align with data security best practices and frameworks.

• Reduce risk and simplify audits by demonstrating customer ownership of encryption keys.

How it works

Here’s a quick summary of how customer-managed keys integrate into refreshable clones:

• When a source Autonomous Database uses a CMK from OCI Vault, its refreshable clone inherits and uses the same CMK.

• The clone will remain encrypted with this key during initial creation and subsequent refresh operations.

• Customers manage the lifecycle of the CMK (e.g., rotate, disable, or revoke) directly in OCI Vault, which immediately affects the database and its clones.

This design gives you operational flexibility while ensuring security policies remain enforced consistently.

Key points to note (from Oracle documentation)

• The feature requires the CMK to be in the same tenancy as the database.

• Customers are responsible for ensuring CMKs remain enabled and properly rotated.

• Disabling or revoking a CMK may impact database availability, so it should be carefully planned and monitored.

For full guidance, see Oracle’s detailed documentation on managing encryption keys:
👉 Customer-managed keys in Autonomous Database

Final thoughts

This enhancement underlines Oracle’s commitment to:

✅ Strengthening cloud security.
✅ Supporting enterprise compliance needs.
✅ Providing advanced encryption management options—even in operational scenarios like refreshable clones.

As cloud security and data sovereignty remain top priorities for modern enterprises, customer-managed encryption is not just a feature—it’s a foundation for trust.

Learn more

• Release note: Customer-managed keys support for refreshable clones

• Detailed documentation on managing encryption keys