Your Search did not match any results
Oracle Cloud Infrastructure Key Management is a managed service the enables you, the customer, to manage and control AES symmetric keys used to encrypt your data-at-rest. Keys are stored in a FIPS 140-2, Level 3-certified, Hardware Security Module (HSM) that is durable and highly available. The Key Management service is integrated with many Oracle Cloud Infrastructure services, including Block Volumes, File Storage, Oracle Container Engine for Kubernetes, and Object Storage.
Oracle Vault is a logical grouping of Keys. The Vault must be created before any keys are generated or imported. There are two types of Vaults: Private and Virtual, which have different levels of isolation, pricing and computing.
Each tenant can have zero to many Vaults. A private vault reserves 3,000 keys and has a dedicated partition on HSM. A partition is a physical boundary on the HSM, so Private Vaults have a high level of isolation. A Virtual Vault uses a multi-tenant partition so it has a moderate level of isolation, managed by software on the HSM.
Use the Key Management service if you need to store your Master Encryption Keys in an HSM to meet governance and regulatory compliance requirements or when you want more control over the cryptoperiod of the encryption keys used for your data.
Default is 10 Virtual Vaults with 100 keys per vault.
Default for Private Vault is 0, with 1000 keys per vault.
See Service Limits for reviewing and updating Limits for Key Management Service. You can submit a ticket to request an increase limits at any time.
Ensure that the Limits for your tenancy allow for creation of the vault type you intend to create.
Ensure that IAM policies for the User account have the necessary permissions to create a Vault. See IAM Policy Reference to construct a statement.
You first create a Key Management key vault by selecting Security from the Oracle Cloud Infrastructure Console, and then Key Management.
Create a Vault and select from one of the two available Vault Types that best fits your isolation and processing requirements:
Create the [Master Encryption] Key(s) inside your Vault. Keys can be versioned as needed.
Ensure that IAM policies for the service or entity calling Key Management has the necessary permissions. Example: allow service objectstorage-us-ashburn-1 to use keys in compartment
Use the key(s):
Crypto operations are available in SDK and API as well. For more details, see Overview of Key Management in the documentation.
Monitor your usage of operations with metrics in the console and Monitoring service. Metrics and dimensions are here: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Reference/keymgmtmetrics.htm
Currently, the following services integrate with Key Management:
Several Marketplace offerings have native integration with Key Management service as well.
Customer-Managed means data encrypted in the storage service is transparently protected by Data Encryption Keys wrapped with your Key Management Master Encryption Keys.
Oracle-Managed means data will be encrypted with an encryption key that Oracle maintains and shared for all Oracle-Managed storage in the region.
In either case, the data is encrypted at rest. Customer-managed gives you more control over isolation, versioning and cryptoperiod.
No. When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and Object Storage and don’t use Key Management, your data is protected using encryption keys that are securely stored and controlled by Oracle.
The following key management capabilities are available when you use the Key Management service:
Services that integrate with Key Management provide you with the following key management capabilities:
When you create a key, you can choose a key shape that indicates the key length and the algorithm used with it. All keys are Advanced Encryption Standard (AES), and you can choose from three key lengths: AES-128, AES-192, and AES-256. AES-256 is recommended.
Key Management is available in all Oracle Cloud Infrastructure regions.
Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or ad hoc in case of a security incidence. Regularly rotating your keys (for example, every 90 days) by using the Console, API, or CLI limits the amount of data protected by a single key.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.
Yes. Using an asymmetric RSA key pair, a customer must wrap the AES symmetric key and then it can be imported into the Key Management service.
Yes, but not immediately. You can schedule the deletion of a key vault from Key Management by configuring a waiting period for deletion from 7 to 30 days. The key vault and all the keys created inside the key vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a key vault is deleted, it can’t be recovered.
Yes, you can delete a key or a key version. You can disable a key, which will prevent any encrypt/decrypt operations using that key.
When you use a Private Vault to store your keys, you can create and store up to 3,000 key versions per key vault.
When you use a Virtual Vault to store your keys, there is no hard limit.
All key versions you store in a vault count towards this limit, regardless of the corresponding key being enabled or disabled.
You can request a limit increase for keys stored inside a Vault by following the steps in Requesting a Service Limit Increase of the Oracle Cloud Infrastructure documentation. As both enabled and disabled keys count towards the limit, Oracle recommends deleting disabled keys that you no longer use.
No, you can generate Data Encryption Keys (DEK) that are wrapped with the Master Encryption Keys and encrypt your data with the DEK.
You can use it with any encryption library (ex: Bouncy Castle, OpenSSL) to encrypt the data.
Submit a Service Request with information on the Oracle Cloud Infrastructure bucket to have operations configure your vault to send logging to that bucket.
Oracle uses a cluster of six HSMs that have provided a historical availability of five 9's.
Currently, you can only use the keys in the region where you created them.
When using a Virtual Vault type, you pay based on the number of key versions that you create, and you are charged at the end of the month for that month's usage.
When using a Private Vault type, you pay an hourly fee for each vault that you create, and you are charged at the end of the month for that month’s usage. When storing your keys in a Private Vault type, you are not charged for the keys that you create inside your key vaults and use with supported Oracle Cloud Infrastructure services.
For current pricing, see the Key Management pricing page.
No, you aren’t billed for the use of a key vault that is scheduled for deletion. If you cancel the deletion of your key vault during the waiting period, billing continues.
Yes, keys in pending deletion state still count toward your quota limit.
You control the keys that you create and store in Key Management. You define the key usage and management policies and grant Oracle IAM users, groups, or services the rights to use, manage, or associate your keys with resources.
When you request the service to create a key on your behalf, Key Management stores the key and all subsequent key versions in HSM backed key vaults.
When you request the service to create a key on your behalf inside a Private Vault, Key Management stores the key and all subsequent key versions in HSM backed key vaults using per-customer isolated partitions inside FIPS 140-2, Security Level 3 certified hardware security modules (HSMs) (you can view the FIPS 140-2 Security policy for the hardware used to back your key vault here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2850.pdf).
All key vault types containing your keys are replicated multiple times within a region to ensure the durability and availability of the keys. Plain-text key material can never be viewed or exported from the key vault. Only users, groups, or services that you authorize via an IAM policy can use the keys by invoking Key Management to encrypt or decrypt data.
No. Your encryption keys are stored only in key vaults that are hosted inside FIPS 140-2, Level 3 certified HSMs, and you can’t export them from the key vaults.
Limit vault deletion permissions to minimal set of users by having the 'use' metaverb in IAM policies versus ‘manage’. Example: allow group VaultOperators to use vaults in compartment
Limit assignment of vault and keys to storage to prevent unauthorized substitution.
A common pattern example is here.