Your search did not match any results.
Oracle Cloud Infrastructure Key Management is a managed service that enables you to encrypt your data using keys that you control. Key Management provides you with centralized key management capabilities, highly available, durable, and secure key storage using per-customer isolated partitions in FIPS 140-2 Level 3 certified hardware security modules (HSMs), and integration with select Oracle Cloud Infrastructure services.
Use the Key Management service if you need to ensure and verify your security governance, regulatory compliance, and homogenous encryption of data where it is stored by centrally managing, storing, and monitoring the life cycle of the keys that you use to protect your data.
You first create a Key Management key vault in the Governance and Administration section of the Oracle Cloud Infrastructure Console. Then you create keys inside your key vault that you later use with supported Oracle Cloud Infrastructure services. To encrypt your data using these keys, you simply select a key from the Key Management service when you create or update a block volume or bucket. You can use the Key Management service through the Console, API, or CLI to create, use, rotate, enable, and disable your encryption keys. For more information, see Overview of Key Management in the documentation.
Currently, Oracle Cloud Infrastructure Block Volumes (including Oracle Cloud Infrastructure Compute boot volumes) and Oracle Cloud Infrastructure Object Storage integrate with Key Management to protect the data that you store with these services using keys that you control.
No. When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and Object Storage and don’t use Key Management, your data is protected using encryption keys that are securely stored and controlled by Oracle.
The following key management capabilities are available when you use the Key Management service:
Services that integrate with Key Management provide you with the following key management capabilities:
When you request Key Management to create a key on your behalf, you can choose a key shape that indicates the key length and the algorithm used with it. Currently, all keys are Advanced Encryption Standard (AES) keys, and you can choose from three key lengths: AES-128, AES-192, and AES-256.
Key Management is available in all Oracle Cloud Infrastructure regions.
Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or ad hoc in case of a security incidence. Regularly rotating your keys (for example, every 90 days) by using the Console, API, or CLI limits the amount of data protected by a single key.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.
No. Currently, you can’t import a key from your existing key management solution to the Key Management service.
Yes. You can schedule the deletion of a key vault from Key Management by configuring a waiting period for deletion from 7 to 30 days. The key vault and all the keys created inside the key vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a key vault is deleted, it can’t be recovered.
No. Currently, you can’t delete keys.
You can create or store up to 1,000 key versions per key vault. All key versions you store in a vault count towards this limit, regardless of the corresponding key being enabled or disabled. You can request a limit increase for keys stored inside a key vault by following the steps in Requesting a Service Limit Increase of the Oracle Cloud infrastructure documentation.
When using Key Management, you pay an hourly fee for each key vault that you create, and you are charged at the end of the month for that month’s usage. You are not charged for the keys that you create inside your key vaults and use with supported Oracle Cloud Infrastructure services. For current pricing, see the Key Management pricing page.
No, you aren’t billed for the use of a key vault that is scheduled for deletion. If you cancel the deletion of your key vault during the waiting period, billing continues.
You control the keys that you create and store in Key Management. You define the key usage and management policies and grant Oracle IAM users, groups, or services the rights to use, manage, or associate your keys with resources.
When you request the service to create a key on your behalf, Key Management stores the key and all subsequent key versions in key vaults that use per-customer isolated partitions inside FIPS 140-2 Level 3 certified hardware security modules (HSMs). You can view the FIPS 140-2 security policy for the hardware used to back your key vault at https://csrc.nist.gov. All key vaults that contain your keys are replicated multiple times within a region to ensure the durability and availability of the keys. Plain-text key material can never be viewed or exported from the key vault. Only users, groups, or services that you authorize via an IAM policy can use the keys by invoking Key Management to encrypt or decrypt the data.
No. Your encryption keys are stored only in key vaults that are hosted inside FIPS 140-2, Level 3 certified HSMs, and you can’t export them from the key vaults.
Currently, Key Management stores your keys, and you can use them only in the region in which you created them.