Assigning Keys

Note

Before the introduction of secrets as a resource, Oracle Cloud Infrastructure Vault was known as Oracle Cloud Infrastructure Key Management.

This topic describes how to assign keys to supported resources and how to remove those key assignments when no longer needed.

You can assign master encryption keys to block or boot volumes, file systems, buckets, and stream pools. Block Volume, File Storage, Object Storage, and Streaming use the keys to decrypt the data encryption keys that protect the data that is stored by each respective service. By default, these services rely on Oracle-managed master encryption keys for cryptographic operations. When you remove a Vault master encryption key assignment from a resource, the service returns to using an Oracle-managed key for encryption, decryption, and generating data encryption keys.

You can also assign master encryption keys to clusters that you create using Container Engine for Kubernetes to encrypt Kubernetes secrets at rest in the etcd key-value store.

For information about managing the creation and usage of master encryption keys and key versions, see Managing Keys. For information specifically about creating keys with your own key material, see Importing Keys and Key Versions. For information about how you can use keys in cryptographic operations, see Using Keys. For information about what you can do with vaults where you store keys, see Managing Vaults.

Required IAM Policy

Warning

Keys associated with volumes, buckets, file systems, clusters, and stream pools will not work unless you authorize Oracle Cloud Infrastructure Block Volume, Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure File Storage, Oracle Cloud Infrastructure Container Engine for Kubernetes, and Streaming to use keys on your behalf. Additionally, you must also authorize users to delegate key usage to these services in the first place. For more information, see Let a user group delegate key usage in a compartment and Let Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools in Common Policies.

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

To assign a key to a new Object Storage bucket
To assign a key to an existing Object Storage bucket
To assign a key to a new Block Volume
To assign a key to an existing Block Volume
To assign a key to a new file system
To create a Compute instance with an encrypted boot volume
To assign a key to an existing boot volume
To create a Kubernetes cluster with encrypted secrets in the etcd key-value store
To assign a key to a new stream pool
To change or remove the master encryption key assigned to an existing stream pool
To remove a key assignment from a bucket
To remove a key assignment from a Block Volume
To remove a key assignment from a boot volume
To change a key assignment for a file system

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

Tip

Each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint. When using the CLI for key operations, you must provide the appropriate endpoint for the type of operation. To retrieve a vault's endpoints, see instructions in To view vault configuration details.

To assign a key to an Object Storage bucket
To update the key assigned to an Object Storage bucket
To create a block volume that's encrypted with a Vault service key
To update a key assigned to an existing Block Volume
To create a boot volume that's encrypted with a Vault service key
To create a Compute instance with a boot volume that's encrypted with a Vault service key
To update a key assigned to an existing boot volume
To create a Kubernetes cluster with encrypted secrets in the etcd key-value store
To remove the key assigned to an Object Storage bucket
To remove a key assigned to a Block Volume
To remove a key assigned to a Block Volume boot volume

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to assign keys:

Container Engine for Kubernetes

Core Services

File Storage

Object Storage