Managing Vaults

Note

Before the introduction of secrets as a resource, Oracle Cloud Infrastructure Vault was known as Oracle Cloud Infrastructure Key Management.

This topic describes how to create and manage vaults. For information specifically about backing up and restoring vaults, see Backing Up Vaults and Keys. For information about what you can do with keys, see Managing Keys. For information about what you can do with secrets, see Managing Secrets.

The Vault service lets you create vaults in your tenancy as containers for encryption keys and secrets. If needed, a virtual private vault provides you with a dedicated partition in a hardware security module (HSM), offering a level of storage isolation for encryption keys that’s effectively equivalent to a virtual independent HSM.

Vault management tasks include the following:

  • Creating a vault
  • Viewing vault configuration details
  • Updating the vault name

  • Managing vault tags

  • Deleting a vault

  • Moving a vault to a new compartment

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Moving Resources to a Different Compartment

You can move vaults from one compartment to another. After you move a vault to a new compartment, inherent policies apply immediately and affect access to the vault. Moving a vault doesn't affect access to any keys or secrets that the vault contains. You can move a key or secret from one compartment to another independently of moving the vault it's associated with. For more information, see Managing Compartments.

Using the Console

To view vault configuration details
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault you want to view.
  3. From the list of vaults in the compartment, click the name of the vault.
  4. The console displays the following information:

    • Compartment: The unique, Oracle-assigned ID of the compartment that contains the vault.
    • OCID: The unique, Oracle-assigned ID of the vault.
    • Created: The date and time when you initially created the vault.
    • Total HSM Keys: The number of master encryption keys protected by a hardware security module (HSM) that the vault contains. This includes the wrapping key that is created for the vault by the service.
    • Total HSM Key Versions: The number of all key versions across all HSM-protected master encryption keys that the vault contains. A master encryption key comprises one or more key versions, up to the limit allowed by service limits.
    • Total Software Keys: The number of master encryption keys protected by software that the vault contains.
    • Total Software Key Versions: The number of all key versions across all software-protected master encryption keys that the vault contains. This can include one or more key versions for each master encryption key, up to the limit allowed by service limits.
    • Virtual Private: Whether or not the vault is a virtual private vault.
    • Management Endpoint: The service endpoint for CreateKey, CreateKeyVersion, EnableKey, DisableKey, UpdateKey, ListKeys, ListKeyVersions, GetKey, GetKeyVersion, ImportKey and ImportKeyVersion operations.
    • Cryptographic Endpoint: The service endpoint for Encrypt, Decrypt, and GenerateDataEncryptionKey operations.
    • Wrapping Key: The public RSA wrapping key for the vault.
To create a new vault
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create the vault.
  3. Click Create Vault.
  4. In the Create Vault dialog box, click Name, and then enter a display name for the vault. Avoid entering any confidential information in this field.
  5. Optionally, make the vault a virtual private vault by selecting the Make it a virtual private vault check box. For more information about vault types, see Key and Secret Management Concepts.
  6. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  7. When you are finished, click Create.
To change a vault name
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault you want to rename.
  3. From the list of vaults in the compartment, click the name of the vault.
  4. On the Vault Details page, click Edit Name.
  5. In the Edit Vault Name dialog box, click Name, and then enter a new display name for the vault. Avoid entering any confidential information in this field.
  6. When you are finished, click Save.
To manage a vault's tags
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault for which you want to manage tags.
  3. From the list of vaults in the compartment, click the name of the vault.
  4. On the Vault Details page, click the Tags tab to view or editing existing tags. Or, click Add Tag(s) to add new ones.
To delete a vault
Note

When you delete a vault, the vault and all its associated keys go into a pending deletion state until the waiting period expires. By default, this is 30 days, but can be set from a minimum of 7 days up to a maximum of 30 days. When a vault is deleted, all its associated keys are also deleted.
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault you want to delete.
  3. From the list of vaults in the compartment, click the name of the vault.
  4. On the Vault Details page, click Delete.
  5. To confirm that you want to delete the vault, type the name of the vault, and then choose the date and time you want the vault to be deleted.
  6. When you are finished, click Delete Vault.
To cancel the deletion of a vault
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault that's in a pending deletion state.
  3. From the list of vaults in the compartment, click the name of the vault.
  4. On the Vault Details page, click Cancel Deletion.
  5. To confirm that you want to cancel deletion of the vault, click Cancel Deletion.
To move a vault to a different compartment
  1. Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
  2. Under Table Scope, in the Compartment list, choose the compartment that contains the vault that you want to move.
  3. Find the vault in the list, click the the Actions icon (three dots), and then click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

To view vault configuration details

Open a command prompt and run oci kms management vault get to view the configuration details for a vault:

oci kms management vault get --vault-id <target_vault_id>

For example:


oci kms management vault get --vault-id ocid1.vault.region1.sea.exampleaaacu2.examplesrcvbtqe5wgrxn2jua3olmeausn5fauxseubwu5my5tf3w3j33edq
To create a new vault

Open a command prompt and run oci kms management vault create to create a new vault:

oci kms management vault create --compartment-id <target_compartment_id> --display-name <vault_name> --vault-type <vault_type>

For example:


oci kms management vault create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name vault-1 --vault-type VIRTUAL_PRIVATE
Caution

Avoid entering confidential information in the vault name.
To create a new vault with resource tags

Open a command prompt and run oci kms management vault create with one or both of the --defined-tags and --freeform-tags options to create a new vault with resource tags:

oci kms management vault create --compartment-id <target_compartment_id> --display-name <vault_name> --vault-type <vault_type> --defined-tags <JSON_formatted_defined_tag> --freeform-tags <JSON_formatted_freeform_tag>

For example, on a MacOS or Linux machine:


oci kms management vault create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name vault-1 --vault-type VIRTUAL_PRIVATE --defined-tags '{"Operations": {"CostCenter": "42"}}' --freeform-tags '{"Department":"Finance"}'

Or, for example, on a Windows machine:


oci kms management vault create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name vault-1 --vault-type VIRTUAL_PRIVATE --defined-tags '{\"Operations\": {\"CostCenter\":\"42\"}}' --freeform-tags '{\"Department\":\"Finance\"}'
Caution

Avoid entering confidential information in the vault name.
To change a vault name

Open a command prompt and run oci kms management vault update to change a vault's name:

oci kms management vault update --vault-id <target_vault_id>

For example:


oci kms management vault update --vault-id ocid1.vault.region1.sea.exampleaaacu2.examplesrcvbtqe5wgrxn2jua3olmeausn5fauxseubwu5my5tf3w3j33edq --display-name new-vault-name
To delete a vault

Open a command prompt and run oci kms management vault schedule-deletion to delete a vault:

oci kms management vault schedule-deletion --vault-id <target_vault_id>

For example:


oci kms management vault schedule-deletion --vault-id ocid1.vault.region1.sea.exampleaaacu2.examplesrcvbtqe5wgrxn2jua3olmeausn5fauxseubwu5my5tf3w3	

When you delete a vault, the vault and all its associated keys go into a pending deletion state until the waiting period expires. By default, this is 30 days, but can be set from a minimum of 7 days up to a maximum of 30 days. When a vault is deleted, all its associated keys are also deleted.

To cancel the deletion of a vault

Open a command prompt and run oci kms management vault cancel-deletion to cancel the pending deletion of a vault:

oci kms management vault cancel-deletion --vault-id <target_vault_id>

For example:


oci kms management vault cancel-deletion --vault-id ocid1.vault.region1.sea.exampleaaacu2.examplesrcvbtqe5wgrxn2jua3olmeausn5fauxseubwu5my5tf3w3	
To move a vault to a different compartment

Open a command prompt and run oci kms management vault change-compartment to move a vault from one compartment to another within the same tenancy:

oci kms management vault change-compartment --vault-id <target_vault_id> --compartment-id <new_compartment_id>

For example:


oci kms management vault change-compartment --vault-id ocid1.vault.region1.sea.exampleaaacu2.examplesrcvbtqe5wgrxn2jua3olmeausn5fauxseubwu5my5tf3w3 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz