Signing Data Using Master Encryption Key

Sign into your data using a Vault Master Encryption Key using the CLI and API interface.

• Console
• CLI
• API

• This task does not have any operation on the OCI Console

• Note
  
  You can only use RSA or ECDSA asymmetric keys to digitally sign data and verify signed data. AES keys do not support the asymmetric vault cryptography required to sign data or to verify signed data.

  Open a command prompt and run oci kms crypto signed-data sign to sign a message:

  oci kms crypto signed-data sign --key-id <key_OCID> --key-version-id <keyversion_OCID> --message <base64_string> --signing-algorithm <key_algorithm> --endpoint <data_plane_url>

  For example:

  
  oci kms crypto signed-data sign --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --key-version-id ocid1.keyversion.region1.sea.example5aacuu.aumjmafauxaaa.abuwcljt2lolvy722lpaefa53mbl2fyrtcvb3desouxwygdhqxgryexample --message VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4= --signing-algorithm SHA_224_RSA_PKCS_PSS --endpoint https://exampleaaacu3-crypto.kms.us-ashburn-1.oraclecloud.com

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the Sign operation for signing data using master encryption key using the KMSCRYPTO endpoint.

  Note
  
  Each region uses the KMSCRYPTO endpoint for encryption/decryption of keys. This endpoint is referred to as the control plane URL or KMSCRYPTO endpoint. For regional endpoints, see the API Documentation.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.