Oracle Cloud Infrastructure Documentation

Overview of Key Management

Oracle Cloud Infrastructure Key Management provides you with centralized management of the encryption of your data. You can use Key Management to create or import master encryption keys, generate data encryption keys, rotate keys to generate new cryptographic material, enable or disable keys for use in cryptographic operations, assign keys to resources, and use keys for encryption and decryption.

Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure Block Volume, and Oracle Cloud Infrastructure File Storage integrate with Key Management to support encryption of data in buckets, block or boot volumes, and file systems. Oracle Cloud Infrastructure Container Engine for Kubernetes integrates with Key Management to support the creation of new clusters with encrypted Kubernetes secrets at rest in the etcd key-value store.

Integration with Oracle Cloud Infrastructure Identity and Access Management (IAM) lets you control who and what services can access which keys and what they can do with those keys. Oracle Cloud Infrastructure Audit integration gives you a way to monitor key usage. Audit tracks administrative actions on keys and vaults.

Keys are stored on highly available and durable hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. Key Management uses the Advanced Encryption Standard (AES) as its encryption algorithm and its keys are AES symmetric keys.

Key Management Concepts

The following concepts are integral to understanding Key Management.

Keys are logical entities that represent one or more key versions that contain the cryptographic material used to encrypt and decrypt data, protecting the data where it is stored. When processed as part of an encryption algorithm, a key specifies how to transform plaintext into ciphertext during encryption and how to transform ciphertext into plaintext during decryption. Conceptually, Key Management recognizes three types of encryption keys: master encryption keys, wrapping keys, and data encryption keys.
You can create master encryption keys by using the Console or API. Master encryption keys can be generated internally by Key Management or imported to the service from an external source. Key Management stores master encryption keys in a key vault.
After you create your first master encryption key, you can then use the API to generate data encryption keys that the Key Management service returns to you. Some services can also use a master encryption key to generate their own data encryption keys.
A type of encryption key that comes included with each key vault by default is a wrapping key. A wrapping key is a 4096-bit asymmetric encryption key pair based on the RSA algorithm. The public and private key count against your service limits as two key versions, but don't incur service costs. You use the public key as the key encryption key when you need to wrap key material for import into Key Management. You cannot create, delete, or rotate wrapping keys.
Key Management introduces master encryption keys as an Oracle Cloud Infrastructure resource.
Key vaults are logical entities where Key Management creates and durably stores your keys. The type of vault you have determines features and functionality such as degrees of storage isolation, access to management and encryption, and scalability. The type of vault you have also affects pricing.
Key Management offers different vault types to accommodate your organization's needs and budget. A virtual private vault is an isolated partition on a hardware security module (HSM) that ensures the security and integrity of the encryption keys that are stored in the vault. Vaults otherwise share partitions on the HSM with other vaults. Virtual private vaults include 1000 key versions by default. If you don't require the greater degree of isolation, regular vaults let you manage costs by paying for key versions individually, as you need them. Key versions count toward your key limit and costs. A key always contains at least one active key version.
Key Management designates vaults as an Oracle Cloud Infrastructure resource.
key versions
Each master encryption key is automatically assigned a key version. When you rotate a key, Key Management generates a new key version. The new key version can be generated by Key Management or you can import key material for the new key version. Periodically rotating keys limits the amount of data encrypted by one key version. Key rotation thereby reduces the risk if a key is ever compromised. A key’s unique, Oracle-assigned identifier, called an Oracle Cloud ID (OCID), remains the same across rotations, but the key version enables Key Management to seamlessly rotate keys to meet any compliance requirements you might have. Although you can't use an older key version for encryption after you rotate it, the key version remains available to decrypt any data that it previously encrypted. Key Management removes the need for you to track which key version was used to encrypt what data because the key's ciphertext contains the information that Key Management requires for decryption.
hardware security modules
When you create a master encryption key using the Console or API, Key Management stores the key version within a hardware security module (HSM) to provide a layer of physical security. Any given key version, after it’s created, is replicated within the service infrastructure as a measure of protection against hardware failures. Key versions are not otherwise stored anywhere else and cannot be exported from an HSM. Key Management uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. This means that the HSM hardware is tamper-evident, has physical safeguards for tamper-resistance, requires identity-based authentication, and deletes keys from the device when it detects tampering.
envelope encryption
The data encryption key used to encrypt your data is, itself, encrypted with a master encryption key. This concept is known as envelope encryption. Oracle Cloud Infrastructure services do not have access to the plaintext data without interacting with Key Management and without access to the master encryption key that is protected by Oracle Cloud Infrastructure Identity and Access Management (IAM). For decryption purposes, Object Storage, Block Volume, and File Storage store only the encrypted form of the data encryption key.

Regions and Availability Domains

You can use Key Management in the Australia Southeast (Melbourne), India West (Mumbai), Japan Central (Osaka), South Korea Central (Seoul), Australia East (Sydney), Japan East (Tokyo), Canada Southeast (Toronto), Netherlands Northwest (Amsterdam), Germany Central (Frankfurt), Switzerland North (Zurich), Saudi Arabia West (Jeddah), Brazil East (Sao Paulo), UK South (London), US East (Ashburn), and US West (Phoenix) regions. Unlike other Oracle Cloud Infrastructure services, however, Key Management does not have one regional endpoint for all API operations. The service has one regional endpoint for the provisioning service that handles create, update, and list operations for vaults. For create, update, and list operations for keys, service endpoints are distributed across multiple independent clusters.

Because Key Management has public endpoints, you can directly use data encryption keys generated by Key Management for cryptographic operations in your applications. However, if you want to use master encryption keys with a service that has integrated with Key Management, you can do so only when the service and the key vault that holds the key both exist within the same region.

Key Management maintains copies of encryption keys across all availability domains within a region. This replication makes it possible for Key Management to generate keys even when an availability domain is unavailable.

Private Access to Key Management

Key Management supports private access from Oracle Cloud Infrastructure resources in a virtual cloud network (VCN) through a service gateway. Setting up and using a service gateway on a VCN lets resources (such as the instances that your encrypted volumes are attached to) access public Oracle Cloud Infrastructure services such as Key Management without exposing them to the public internet. No internet gateway is required and resources can be in a private subnet and use only private IP addresses. For more information, see Access to Oracle Services: Service Gateway.

Resource Identifiers

Key Management introduces keys and vaults as Oracle Cloud Infrastructure resources. Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access Oracle Cloud Infrastructure

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface. Terraform does not currently support Key Management.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. You will be prompted to enter your cloud tenant, your user name, and your password.

For general information about using the API, see REST APIs.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Limits on Key Management Resources

See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.