Importing Key Material as an External Key
Import key material as a new external key using the Console, CLI, and API interfaces.
- Open a command prompt and run
oci kms management key import
to import the wrapped RSA key material:oci kms management key import --wrapped-import-key <wrapped_key_material> --compartment-id <compartment_id> --display-name <key_name> --endpoint <control_plane_URL> --key-shape <key_encryption_information> --protection-mode <key_protection_mode>
Note
protection-mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode ofHSM
means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode ofSOFTWARE
means that the key persists on the server, protected by the vault's RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode of SOFTWARE are performed on the server. By default, a key's protection mode is set toHSM
. You can't change a key's protection mode after the key is created or imported.For example:
oci kms management key import --wrapped-import-key file://./wrapped_import_key.json --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name new-external-key --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --key-shape file://./key_shape.json --protection-mode SOFTWARE
For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.
Run the ImportKey operation to import an asymmetric key as an external key.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.