Encrypting Data using Master Encryption Key

Encrypt your data with Vault master encryption key using the CLI and API interface.

• Console
• CLI
• API

• This task is not available in the Console.

• Note
  
  You can use either AES symmetric keys or RSA asymmetric keys to encrypt or decrypt data. ECDSA keys do not support vault cryptography required to encrypt or decrypt data. If you want to encrypt data by using an RSA asymmetric key, then you must also provide the --key-version-id of the key. To decrypt the data, you need to provide the same --key-version-id. The need to track key versions exists because, unlike symmetric keys, an asymmetric key's ciphertext does not contain the information that the service needs for decryption purposes.

  Open a command prompt and run oci kms crypto encrypt to encrypt data:

  oci kms crypto encrypt --key-id <key_OCID> --plaintext <base64_string> --endpoint <data_plane_url>

  For example:

  
  oci kms crypto encrypt --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --plaintext VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4= --endpoint https://exampleaaacu3-crypto.kms.us-ashburn-1.oraclecloud.com

  Optionally, you can include the associated-data option to provide an encryption context that might contain useful, but non-secret, information about the encrypted data. That information is associated with the encrypted data such that the data cannot be decrypted without it, providing an extra layer of protection. Associated data must be properly formatted JSON.

  If using an RSA asymmetric key, provide the public key.

  
  oci kms crypto encrypt --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --plaintext VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZy4= --associated-data '{"CustomerId":"12345", "Custom Data":"custom data"}' --endpoint https://exampleaaacu3-crypto.kms.us-ashburn-1.oraclecloud.com
  

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the Encrypt operation to encrypt data using the KMSCRYPTO endpoint.

  Note
  
  Each region uses the KMSCRYPTO endpoint for encryption/decryption of keys. This endpoint is referred to as the control plane URL or KMSCRYPTO endpoint. For regional endpoints, see the API Documentation.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.