Importing Key Material as an External Key

Import key material as a new external key using the Console, CLI, and API interfaces.

    1. Open the navigation menu, click Identity & Security, and then click Vault.
    2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create a key.
    3. From the list of vaults in the compartment, do one of the following:
      • Click the name of the vault where you want to import key material for a new key.

      • Create a new vault for the key by following the instructions in To create a new vault, and then click the name of the vault.

    4. Click Master Encryption Keys, and then click Create Key.
    5. In the Create Key dialog box, choose a compartment from the Create in Compartment list. (Keys can exist outside the compartment the vault is in.)
    6. Click Protection Mode, and then click HSM.
      Note

      You cannot import key material for keys protected by software.
    7. Click Name, and then enter a name to identify the key. Avoid entering confidential information.
    8. Click Key Shape: Algorithm, and choose RSA.
    9. Click Key Shape: Length, and then choose the key length, in bits. For RSA keys, the Vault service supports keys that are exactly 2048 bits, 3072 bits, or 4096 bits in length.
    10. Select the Import External Key check box.
    11. Click Wrapping Algorithm, and then choose RSA_OAEP_AES_SHA256 (RSA-OAEP with a SHA-256 with a temporary AES key).
    12. Under External Key Data Source, provide the file that contains the wrapped RSA key material.

    13. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
    14. When you are finished, click Create Key.
  • Open a command prompt and run oci kms management key import to import the wrapped RSA key material:
    oci kms management key import --wrapped-import-key <wrapped_key_material> --compartment-id <compartment_id> --display-name <key_name> --endpoint <control_plane_URL> --key-shape <key_encryption_information> --protection-mode <key_protection_mode>
    Note

    protection-mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode of HSM means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode of SOFTWARE means that the key persists on the server, protected by the vault's RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode of SOFTWARE are performed on the server. By default, a key's protection mode is set to HSM. You can't change a key's protection mode after the key is created or imported.

    For example:

    oci kms management key import --wrapped-import-key file://./wrapped_import_key.json --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name new-external-key --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --key-shape file://./key_shape.json --protection-mode SOFTWARE

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the ImportKey operation to import an asymmetric key as an external key.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.