Generating Data Encryption Key from Master Key key

Generate data encryption key from Vault master encryption key using the CLI and API interface.

• Console
• CLI
• API

• This task is not available in the OCI Console.

• Note
  
  You can only use AES symmetric keys to generate data encryption keys. You cannot generate data encryption keys from RSA and ECDSA asymmetric keys.

  Open a command prompt and run oci kms crypto generate-data-encryption-key to generate a data encryption key that you can then use to encrypt and decrypt data:

  oci kms crypto generate-data-encryption-key --key-id <key_OCID> --key-shape <key_encryption_information> --include-plaintext-key <Boolean_value> --endpoint <data_plane_url>
  

  For example:

  
  oci kms crypto generate-data-encryption-key --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --key-shape file://path/to/json/file --include-plaintext-key true --endpoint https://exampleaaacu3-crypto.kms.us-ashburn-1.oraclecloud.com
  

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the GenerateDataEncryptionKey operation for generating data encryption key using the KMSCRYPTO endpoint.

  Note
  
  Each region uses the KMSCRYPTO endpoint for encryption/decryption of keys. This endpoint is referred to as the control plane URL or KMSCRYPTO endpoint. For regional endpoints, see the API Documentation.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.