Oracle Cloud Infrastructure Documentation

Using Keys

This topic describes what you can do with keys in terms of cryptographic operations. For information about managing keys, see Managing Keys. For information about managing the vaults in which you store keys, see Managing Vaults.

Cryptographic operations include the following:

  • Encrypting data
  • Decrypting data
  • Generating data encryption keys

You can use either the command line interface (CLI) or API to perform cryptographic operations.

Required IAM Policy


Keys associated with volumes and buckets will not work unless you authorize Oracle Cloud Infrastructure Block Volume and Oracle Cloud Infrastructure Object Storage to use keys on your behalf. Additionally, you must also authorize users to delegate key usage to these services in the first place. For more information, see Let a user group delegate key usage in a compartment and Let Block Volume and Object Storage services encrypt and decrypt volumes and buckets in Common Policies.

To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

For administrators: For typical policies that give access to keys and vaults, see Let security admins manage vaults and keys.

Also, be aware that a policy statement with inspect vaults gives the specified group the ability to see all information about the vaults. Likewise, a policy statement with inspect keys gives the specified group the ability to see all information about the keys. For more information, see Details for the Key Management Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Monitoring Resources

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.

For information about monitoring the traffic associated with your master encryption keys, see Key Management Metrics.

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.


Each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint. When using the CLI for key operations, you must provide the appropriate endpoint for the type of operation. To retrieve a vault's endpoints, see instructions in To view vault configuration details.

To encrypt data by using your Key Management master encryption key
To decrypt data by using your Key Management master encryption key
To generate a data encryption key from your Key Management master encryption key

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to use keys in cryptographic operations: