Importing Key Material as an External Key
This section describes how to import the key material as a new external key by using Console.
Open a command prompt and run
oci kms management key import
to import the AES key material wrapped with the public RSA wrapping key associated with the vault:oci kms management key import --wrapped-import-key <wrapped_key_material> --compartment-id <compartment_id> --display-name <key_name> --endpoint <control_plane_URL> --key-shape <key_encryption_information> --protection-mode <key_protection_mode>
Note
protection-mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode ofHSM
means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode ofSOFTWARE
means that the key persists on the server, protected by the vault's RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode of SOFTWARE are performed on the server. By default, a key's protection mode is set toHSM
. You can't change a key's protection mode after the key is created or imported.For example:
oci kms management key import --wrapped-import-key file://./wrapped_import_key.json --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name new-external-key --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --key-shape file://./key_shape.json --protection-mode HSM
For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.
Run the ImportKey operation to import key as an external key.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.