
Can you provision user MFA programatically in Entra External ID?
July 11, 2025What’s new for Microsoft partners: July 2025 edition
July 11, 2025This blog is co-authored with Pravin Jha, Principal Product Manager, Exadata and Database Cloud Product Management
Many enterprises run mission-critical applications on Oracle Exadata Database Service on Dedicated Infrastructure in Azure. Organizations have relied on Oracle Wallet, OCI Vault, or Oracle Key Vault for storing Master Encryption Keys (MEKs) for TDE. As more enterprises standardize their key management practices around Azure Key Vault, native AKV integration for Oracle Database@Azure has been a priority for our customers.
Today, we are thrilled to announce a major security milestone for customers running Oracle Database@Azure. Oracle Transparent Data Encryption (TDE) keys can now be securely stored and managed using Azure Key Vault (AKV).
This new feature allows customers to standardize key management for their Oracle databases with existing Azure-based governance, monitoring, auditing, and key lifecycle management tools. Organizations enjoy greater control over their data encryption lifecycle and meet their enterprise security and compliance standards.
Why This Matters: Unified Key Management for Enterprise Workloads
Many enterprises standardize their key management in Azure, and this new integration provides a centralized place for customers to manage their keys and secrets. This adds greater flexibility and key ownership for Oracle Database@Azure users.
With this integration, customers can now:
- Store and manage Oracle database MEKs directly in Azure Key Vault (AKV) – Maintain full ownership and control over TDE encryption keys within Azure’s trusted security boundary.
- Seamlessly manage keys via Azure and OCI interfaces.
- Perform key lifecycle operations using the Azure interface—including creation, permission management, policy control and versioning.
- Rotate MEKs via the OCI interface without requiring database restarts.
- Change database key management from Oracle Wallet to Azure Key Vault.
- Eliminate the need for external key management systems, simplifying operations.
Choose the Right Key Management Option for Your Needs
Oracle Database@Azure customers can now choose between AKV Standard, AKV Premium and AKV Managed HSM key management options tailored for different security, compliance, isolation and performance needs.
- AKV Standard: Prototyping, dev/test scenarios (Not for production workloads)
- AKV Premium: Production workloads needing HSM-backed key protection.
- Managed HSM: For highly sensitive, regulatory-heavy workloads needing full isolation and control.
Tip: For production Oracle Database@Azure workloads, AKV Premium or AKV Managed HSM is strongly recommended.
Key use cases
Here is how customers can use this capability:
- Provision New Databases with Azure Key Vault Keys
Choose AKV as your preferred key store directly from the OCI interface during database deployment. - Post-Provisioning Key Management Switch
Migrate existing Oracle Database@Azure workloads from Oracle Wallet to AKV, without impacting database operations. - Non-Disruptive Key Rotation
Rotate MEKs using OCI commands—no downtime, no database restart needed. - Backup and Disaster Recovery Compatibility
AKV-stored keys fully support Oracle backup, restore, and the same region Data Guard operations. - Operational Transparency Across DB Lifecycle Events
Key usage remains consistent across PDB clone, relocate, and remote database management workflows.
Ready to Get Started?
If you are an Oracle Database@Azure customer and want to start using Azure-managed keys, reach out to your Oracle or Azure account team to onboard this capability. Start protecting your Oracle TDE keys with Azure Key Vault immediately and unlock a new level of control, compliance, and operational simplicity.
Unlock the next level of data security—your keys, your control.
Contact your Microsoft or Oracle sales team today!
📎 Learn More