Oracle Cloud Infrastructure Documentation

Importing Key Material as an External Key

This section describes how to import the key material as a new external key by using Console.

    1. Open the navigation menu, click Identity & Security, and then click Vault.
    2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create a key.
    3. From the list of vaults in the compartment, do one of the following:

      • Click the name of the vault where you want to import key material for a new key.

      • Create a new vault for the key by following the instructions in To create a new vault, and then click the name of the vault.

    4. Click Master Encryption Keys, and then click Create Key.
    5. In the Create Key dialog box, choose a compartment from the Create in Compartment list. (Keys can exist outside the compartment the vault is in.)
    6. Click Protection Mode, and then click HSM.
    7. Click Name, and then enter a name to identify the key. Avoid entering confidential information.
    8. Click Key Shape: Algorithm, and choose AES.
    9. Click Key Shape: Length, and then choose the key length, in bits. For AES keys, the Vault service supports keys that are exactly 128 bits, 192 bits, or 256 bits in length.
    10. Select the Import External Key check box.
    11. Click Wrapping Algorithm, and then choose one of the following:
      • RSA_OAEP_SHA256
      • RSA_OAEP_AES_SHA256
    12. Under External Key Data Source, provide the file that contains the wrapped AES key material.

    13. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
    14. When you are finished, click Create Key.

  • Open a command prompt and run oci kms management key import to import the AES key material wrapped with the public RSA wrapping key associated with the vault:

    oci kms management key import --wrapped-import-key <wrapped_key_material> --compartment-id <compartment_id> --display-name <key_name> --endpoint <control_plane_URL> --key-shape <key_encryption_information> --protection-mode <key_protection_mode>
    Note

    protection-mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode of HSM means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode of SOFTWARE means that the key persists on the server, protected by the vault's RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode of SOFTWARE are performed on the server. By default, a key's protection mode is set to HSM. You can't change a key's protection mode after the key is created or imported.

    For example:

    
oci kms management key import --wrapped-import-key file://./wrapped_import_key.json --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name new-external-key --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --key-shape file://./key_shape.json --protection-mode HSM

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the ImportKey operation to import key as an external key.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.