The Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) is a cloud-based service that provides centralized management and control of encryption keys for data stored in OCI. OCI KMS is customer-managed encryption and offers the following services:
To learn more about OCI encryption offerings refer this blog.
OCI KMS uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification to protect your keys. The FIPS certificate can be found on the NIST Cryptographic Module Validation Program (CMVP) website here.
OCI KMS has been validated with the functionality and security controls to help you meet the encryption and key management requirements of the PCI DSS 3.2.1 (primarily referenced in sections 3.5 and 3.6).
OCI KMS supports varied functionalities to enable you to control your keys and ensure the required security protection for your data in OCI services. Below is the feature matrix for critical functionalities across different services within OCI KMS.
|Capabilities||Virtual vault||Private vault||Dedicated KMS (Coming soon)||External KMS|
|FIPS 140-2 Level 3 HSMs||Yes||Yes||Yes||External|
|Symmetric (AES) encryption||Yes||Yes||Yes||Yes|
|Asymmetric (RSA and ECDSA) encryption||Yes||Yes||Yes||No|
|Cross region replication||Coming soon||Yes||No||No|
|Bring Your Own Key||Yes||Yes||Yes||External|
|OCI Services Integration (Storage, Database, SaaS)||Yes||Yes||No||Yes|
|Automatic key rotation||Coming soon||Coming soon||No||No|
Oracle uses a cluster of nodes and HSMs to store replicas of your keys in the same region where they were created, which enables us to provide 99.9% service level agreement (SLA) and 99.99 % service level objective (SLO) for key management. Please see Oracle PaaS and IaaS Public Cloud Services Pillar Document.
A key is stored and used only in the region in which it was created. If you want to backup/replicate your keys to another region in the realm to meet compliance or DR requirements, you can use cross-region backup and restore or cross-region replication.
OCI KMS is a cloud native key management service that Oracle recommends for all your cloud applications. OCI KMS is natively integrated to many OCI services related to Storage, Database, and SaaS services such as FA. If you are looking for a centralized key management in Oracle Cloud and a managed service for all your cloud applications with pay-as-you-go pricing structure, then OCI KMS is the one Oracle recommends.
Oracle Key Vault is another key management product from Oracle. Oracle Key Vault provides key management for TDE-enabled Oracle Databases running in both on-premises (including Oracle Exadata Cloud@Customer and Oracle Autonomous Database—Dedicated) and OCI as well as key management for encrypted Oracle GoldenGate trail files and encrypted Oracle Automatic Storage Management Cluster File Systems.
OCI KMS is available in all OCI regions and realms including Government, EU Sovereign Cloud, Oracle National Security Regions, and OCI Dedicated Region Cloud@Customer. You can learn more about region availability and OCI KMS offerings in our documentation and blogs.
OCI Vault is a secure, resilient fully managed service that lets you focus on your data encryption needs without worrying about time-consuming administrative tasks required to achieve high availability, such as hardware provisioning and software patching. Vault uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification to protect your keys. OCI Vault is Oracle’s native Gen 2 Cloud encryption service.
Vault support different types of encryption keys—symmetric (AES keys) and asymmetric (RSA and ECDSA keys)—and a generic set of workloads, including Oracle Exadata Cloud Service, Oracle Autonomous Database, Transparent Data Encryption in Oracle Database, and non-database workloads.
There are two types of OCI Vault: Private Vault and the default Virtual Vault. The type of Vault you create determines the degree of isolation and performance for your keys. Each tenant can have zero to many Vaults.
A Private Vault provides dedicated partition on the HSM (single tenant). A partition is a physical boundary on the HSM which is isolated from other partitions. Private Vault provides better and consistent transactions per second for cryptographic operations. These are single-tenant HSMs. Private Vaults also have additional features such as Cross Region Replication and Cross Region Backup and Restore of Keys.
The default Virtual Vault uses a multitenant partition, providing a moderate level of isolation.
Both Vault options enable you to create master encryption keys stored in one of the following ways:
The following key management capabilities are available when you use OCI Vault:
In OCI Vault you can create Advanced Encryption Standard (AES-GCM), Rivest-Shamir-Adleman (RSA), and Elliptic Curve Digital Signature Algorithm (ECDSA) keys. For AES keys, you can choose from three key lengths: AES-128, AES-192, and AES-256. AES-256 is recommended. OCI Vault supports the following asymmetric key types: RSA 2048, RSA 3072, RSA 4096, NIST P-256, NIST P384, and ECC_NIST521.
You can create and use AES symmetric keys and RSA asymmetric keys for encryption and decryption. You can also use RSA or ECDSA asymmetric keys for signing digital messages.
For more details and to get started, see Overview of OCI Vault.
You can directly submit data to key management APIs to encrypt and decrypt using your master encryption keys stored in the Vault. Also, you can encrypt your data locally within your applications and OCI services using a method known as envelope encryption.
With envelope encryption, you generate and retrieve data encryption keys (DEKs) from key management APIs. DEKs are not stored or managed in the key management service, but are encrypted by your master encryption key. Your applications can use DEKs to encrypt your data and store the encrypted DEKs along with the data. When your applications want to decrypt the data, you should call decrypt to the key management API on the encrypted DEK to retrieve the DEK. You can the decrypt your data locally with the DEK.
Key management supports sending up to 4 KB of data to be encrypted directly. In addition, envelope encryption can offer significant performance benefits. When you encrypt data directly with key management APIs, it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller DEKs go over the network. The DEK is used locally in your application or encrypting OCI service, avoiding the need to send the entire block of data.
Yes. You can import a copy of your key from your own key management infrastructure to OCI Vault and use it with any integrated OCI services or from within your own applications. You can import all algorithms of keys: AES, RSA, and ECDSA keys. Import of both types of keys is supported—HSM as well as software keys. Note: You cannot export HSM keys out of the HSM.
Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or do it ad hoc in case of a security incident. Regularly rotating your keys (for example, every 90 days) by using the console, API, or CLI, limits the amount of data protected by a single key.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.
Yes, but not immediately. You can schedule the deletion of a Vault, key, or key version by configuring a waiting period from 7 to 30 days.
For Vault deletion, the Vault and all the keys created inside the Vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a Vault is deleted, it can’t be recovered.
You can also disable a key, which will prevent any encrypt/decrypt operations using that key.
Yes. Vault supports cross-region replication of keys and vaults. You can replicate Private Vaults from one region to another region to make them and the keys that they contain available to meet compliance requirements or to improve latency.
When you configure cross-region replication for a Private Vault, the Vault service automatically synchronizes the creation, deletion, update, or move of any keys or key versions between the initiating vault and a vault in one destination region. The vault from which the service replicates data is known as the source vault. The vault in the destination region to which the service replicates data from the source vault is known as the vault replica. The service supports cryptographic operations against the vault and keys in the destination region.
OCI Vault also supports cross-region backup and restore for Private Vault so that keys can be used in a region different from where they were created. Backup and restore meets FIPS requirements as real key materials are not exported, rather a binary object that represents the key material. Restore operations can happen only to the OCI-managed HSMs.
You are charged based on the type of Vault that’s created.
By default, your Vault is charged based on the number of key versions. Software-protected keys are free, but HSM-protected keys are charged 53 cents per key version. (The first 20 key versions are free). However, if you create a Private Vault (single-tenant HSM), you are priced per hour. The pricing starts from the time of creation of the Vault and continues until the Vault is scheduled to be deleted. You are not charged for key versions within a Private Vault.
You are not billed based on the number of API requests for Vaults and keys made to the service for any of the management or cryptographic operations.
For more details, please refer to Oracle Cloud Security pricing.
Keys scheduled for deletion: You aren’t billed for the keys that are scheduled for deletion. If you cancel the deletion of your keys, then the billing resumes.
The Private Vault limit is 0 by default. Users should request a limit increase to use it. Once Private Vault is enabled, users get a soft limit of 1,000 and hard limit of 3,000 symmetric key versions.
When you use the default Virtual Vault to store your keys, there is no hard limit. The default is 10 Vaults with 100 keys per Vault.
All key versions you store in a Vault count toward this limit, regardless of the corresponding key being enabled or disabled.
The limits imposed on OCI Vault are governed by OCI service limits. Default limits are set for all tenancies. Customers can request a service limit increase for keys stored inside a Vault by following the steps described here in the Oracle Cloud Infrastructure documentation. As both enabled and disabled keys count toward the limit, Oracle recommends deleting disabled keys that you no longer use.
When you use OCI Key Management Service to encrypt or decrypt data, only users, groups, or services that you authorize via an OCI IAM policy can manage and use the keys. You can enforce fine-grained usage and management policies to give specific users specific permissions.
To track lifecycle state changes, you can use logs in OCI Audit, which will show all OCI Vault management request details, such as create, rotate, disable, and more, for all the Vaults, keys or key versions in your tenancy.
OCI External KMS is a service that allows customers to use encryption keys that are stored and managed outside OCI. This can be useful for customers who have regulatory requirements to store encryption keys on-premises or outside OCI, or who want to have more control over their encryption keys. Please refer to this blog for additional details.
The service helps customers address the following:
OCI External KMS gives customers more control over their encryption keys, but it also comes with operational responsibility: Customers must administer, manage, and maintain encryption keys and hardware security modules (HSMs) on-premises. This is a different ownership model than the existing OCI Vault service, where Oracle manages and administers the HSM infrastructure on behalf of customers.
To rotate a key (also known as a key reference) in OCI External KMS, you will need to first rotate keys in the Thales CipherTrust Manager using the step below, as the key material is stored outside OCI.
In OCI, you can then click Rotate Key Reference and type the External Key Version ID from the previous step.
OCI External KMS supports symmetric encryption keys and is compatible with applications that are already integrated with OCI Vault. As a result, customers don’t have to modify applications to benefit from OCI External KMS—they can use and associate keys in the same way they would with OCI Vault and with the same SLA of 99.9%.
The following services are integrated with OCI Vault and can benefit from OCI External KMS without any changes:
OCI External KMS is designed in such a way that OCI doesn’t have any access to the actual cryptographic key material. Once a customer has blocked the key in the Thales CipherTrust Manager, OCI has no way to use the key reference to decrypt data or perform any operation using that key reference.
You can also then disable/delete the key references from your OCI console.
OCI External KMS currently does not support cross-region replication of keys/vaults.
OCI External KMS costs US$3 per key version per month, and there is no additional cost for the use of these key versions. Customers have a soft limit of 10 vaults and 100 key versions per vault. Please contact Thales to learn about CipherTrust Manager pricing and limits.
You can learn more about OCI External KMS by reading the technical documentation or by trying it out in the OCI console. Access the External KMS in the OCI console by selecting Identity and Security in the OCI navigation menu, then Key Management and Secret Management, and then External Key Management.