Oracle Cloud Infrastructure Documentation

Dedicated KMS

Overview of Dedicated KMS.

Dedicated Key Management Service (KMS) is a fully managed, highly available, single-tenant Hardware Security Module (HSM) partition service. This service offers you exclusive access control over the dedicated partitions within a physical, tamper resistant HSM device to ensure your encryption keys are fully protected and isolated.

In Dedicated KMS, you cryptographically own your HSM partitions with full control over its key generation, storage and usage. The HSM partitions are FIPS 140-2 Level 3 certified, offering the highest level of security for key management. To perform cryptographic operations, the service supports PKCS#11 standard to perform cryptographic operations without the need for any OCI APIs or modules. By default, OCI KMS provides in each HSM cluster in each OCI region, which are automatically synchronized and are highly available with 99.9% SLAs.

Dedicated KMS offers the following capabilities:
  • Gain greater access control by managing not only your keys but HSM partitions, and administrative users directly.
  • Have heightened control to deeper visibility into cryptographic operations and customize HSM environment to your specific needs.
  • Use PKCS#11 standard for interactions with the HSMs directly and bypass OCI APIs for more streamlined and efficient cryptographic operations.
  • Backup and restore HSM keys and users within and across OCI regions.

Supported OCI Services

Currently, OCI services such as Database, Storage, and Fusion Application are integrated with Vault in OCI Key Management Service. Customer applications must use standard interfaces like PKCS#11 to interact with keys within the Dedicated KMS offering. For example, customers can run PKI applications on OCI Compute instances and create CA private keys within the HSM for signing and verifying identities in the digital world.

Terminologies

Read the following terminologies to understand Dedicated KMS.
Terminology Description
HSM Cluster A cluster is a collection of individual HSM partitions that OCI KMS keeps in sync.
HSM Partition (Dedicated) A single-tenant secure cryptographic enclave within the HSM cluster which is fully isolated for your keys.
HSM Users An HMS user is distinct from IAM users. Unlike an IAM user, an HSM user will use the HSM credentials to access the user management utility to authenticate operations on the HSM because credentials takes place directly on the HSM.
CO Crypto Officer user who can perform user management operations on the HSM partition.
CU Crypto User who can perform key management and cryptographic operations on the key in an HSM partition.
PKCS #11 The PKCS #11 is a cryptographic interface standard also known as Cryptoki. This is one of the public key cryptography standards that defines the interface between an application and a cryptographic device.