Managing Keys

Note

Before the introduction of secrets as a resource, Oracle Cloud Infrastructure Vault was known as Oracle Cloud Infrastructure Key Management.

This topic describes what you can do with keys and key versions to manage their creation and usage. For information specifically about creating keys with your own key material, see Importing Keys and Key Versions. For information about assigning keys to protect supported resources, see Assigning Keys. For information about how you can use keys in cryptographic operations, see Using Keys. For information about backing up and restoring keys, see Backing Up Vaults and Keys. For information about what you can do with vaults where you store keys, see Managing Vaults.

Management of keys includes the ability to do the following:

  • Create keys
  • View key details
  • View a list of keys
  • View a list of key versions for a specific key
  • Update a key name
  • Manage a key's tags
  • Enable keys for use in cryptographic operations
  • Rotate keys to generate new cryptographic material
  • Disable keys to prevent their usage in cryptographic operations
  • Delete keys to permanently prevent their usage in cryptographic operations or assignment to resources
  • Move a key to a new compartment

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Monitoring Resources

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.

For information about monitoring the traffic associated with your master encryption keys, see Vault Metrics.

Moving Resources to a Different Compartment

You can move keys from one compartment to another. After you move a key to a new compartment, inherent policies apply immediately and affect access to the key and key versions. Moving a key doesn't affect access to the vault that a key is associated with. Similarly, you can move a vault from one compartment to another independently of moving any of its keys. For more information, see Managing Compartments.

Using the Console

To create a new key
To view key details
To view a list of keys
To view a list of key versions
To change the name of a key
To manage a key's tags
To enable a key
To rotate a master encryption key
To disable a key
To delete a key
To cancel the deletion of a key
To move a key to a different compartment

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

Tip

Each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint. When using the CLI for key operations, you must provide the appropriate endpoint for the type of operation. To retrieve a vault's endpoints, see instructions in To view vault configuration details.

To create a new key
To create a new key with resource tags
To view a key's details
To view a list of keys
To view a list of key versions
To change the name of a key
To enable a key
To rotate a key
To disable a key
To delete a key
To cancel the deletion of a key
To move a key to a different compartment

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to manage keys: