Oracle Cloud Infrastructure Documentation

Overview of Key Management

Oracle Cloud Infrastructure Key Management provides you with centralized management of the encryption of your data. You can use Key Management to create master encryption keys and data encryption keys, rotate keys to generate new cryptographic material, enable or disable keys for use in cryptographic operations, assign keys to resources, and use keys for encryption and decryption.

Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure Block Volume, and Oracle Cloud Infrastructure File Storage integrate with Key Management to support encryption of data in buckets, block or boot volumes, and file systems. Integration with Oracle Cloud Infrastructure Identity and Access Management (IAM) lets you control who and what services can access which keys and what they can do with those keys. Oracle Cloud Infrastructure Audit integration gives you a way to monitor key usage. Audit tracks administrative actions on keys and vaults.

Keys are stored on highly available and durable hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. Key Management uses the Advanced Encryption Standard (AES) as its encryption algorithm and its keys are AES symmetric keys.

Key Management Concepts

The following concepts are integral to understanding Key Management.

Keys are logical entities that represent one or more key versions that contain the cryptographic material used to encrypt and decrypt data, protecting the data where it is stored. When processed as part of an encryption algorithm, a key specifies how to transform plaintext into ciphertext during encryption and how to transform ciphertext into plaintext during decryption. Conceptually, Key Management recognizes two types of encryption keys. You can create master encryption keys using the Console or API. Key Management stores those keys in a key vault. After you have a master encryption key, you can then use the API to generate data encryption keys that the service returns to you. Key Management introduces master encryption keys as an Oracle Cloud Infrastructure resource.
Key vaults are logical entities where Key Management creates and durably stores your keys. Vaults are partitions on a hardware security module that are isolated from one another to ensure the security and integrity of the encryption keys that are stored on them. The type of vault you have determines features and functionality such as degrees of storage isolation, access to management and encryption, scalability, and pricing. At this time, the only type of vault you can create is a virtual private vault. Key Management designates vaults as an Oracle Cloud Infrastructure resource.
key versions
Each master encryption key is automatically assigned a key version. When you rotate a key, Key Management generates a new key version. Periodically rotating keys limits the amount of data encrypted by one key version. Key rotation thereby reduces the risk if a key is ever compromised. A key’s unique, Oracle-assigned identifier, called an Oracle Cloud ID (OCID), remains the same across rotations, but the key version enables Key Management to seamlessly rotate keys to meet any compliance requirements you might have. Although you can't use an older key version for encryption after you rotate it, the key version remains available to decrypt any data that it previously encrypted. Key Management removes the need for you to track which key version was used to encrypt what data because the key's ciphertext contains the information that Key Management requires for decryption.
hardware security modules
When you create a master encryption key using the Console or API, Key Management stores the key version within a hardware security module (HSM) to provide a layer of physical security. Any given key version, after it’s created, is replicated within the service infrastructure as a measure of protection against hardware failures. Key versions are not otherwise stored anywhere else and cannot be exported from an HSM. Key Management uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. This means that the HSM hardware is tamper-evident, has physical safeguards for tamper-resistance, requires identity-based authentication, and deletes keys from the device when it detects tampering.
envelope encryption
The data encryption key used to encrypt your data is, itself, encrypted with a master encryption key. This concept is known as envelope encryption. Oracle Cloud Infrastructure services do not have access to the plaintext data without interacting with Key Management and without access to the master encryption key that is protected by Oracle Cloud Infrastructure Identity and Access Management (IAM). For decryption purposes, Object Storage, Block Volume, and File Storage store only the encrypted form of the data encryption key.

Regions and Availability Domains

You can use Key Management in the India West (Mumbai), South Korea Central (Seoul), Australia East (Sydney), Japan East (Tokyo), Canada Southeast (Toronto), Germany Central (Frankfurt), Switzerland North (Zurich), Brazil East (Sao Paulo), UK South (London), US East (Ashburn), and US West (Phoenix) regions. Unlike other Oracle Cloud Infrastructure services, however, Key Management does not have one regional endpoint for all API operations. The service has one regional endpoint for the provisioning service that handles create, update, and list operations for vaults. For create, update, and list operations for keys, service endpoints are distributed across multiple independent clusters.

Because Key Management has public endpoints, you can directly use data encryption keys generated by Key Management for cryptographic operations in your applications. However, if you want to use master encryption keys with a service that has integrated with Key Management, you can do so only when the service and the key vault that holds the key both exist within the same region.

Key Management maintains copies of encryption keys across all availability domains within a region. This replication makes it possible for Key Management to generate keys even when an availability domain is unavailable.

Private Access to Key Management

Key Management supports private access from Oracle Cloud Infrastructure resources in a virtual cloud network (VCN) through a service gateway. Setting up and using a service gateway on a VCN lets resources (such as the instances that your encrypted volumes are attached to) access public Oracle Cloud Infrastructure services such as Key Management without exposing them to the public internet. No internet gateway is required and resources can be in a private subnet and use only private IP addresses. For more information, see Access to Oracle Services: Service Gateway.

Resource Identifiers

Key Management introduces keys and vaults as Oracle Cloud Infrastructure resources. Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access Oracle Cloud Infrastructure

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface. Terraform does not currently support Key Management.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. You will be prompted to enter your cloud tenant, your user name, and your password.

For general information about using the API, see REST APIs.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up A collection of users who all need a particular type of access to a set of resources or compartment., A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization., and An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Limits on Key Management Resources

See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.