No results found

Your search did not match any results.

We suggest you try the following to help find what you're looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions

Frequently Asked Questions

Open all Close all

    General Questions

  • What is Oracle Cloud Infrastructure Key Management?

    Oracle Cloud Infrastructure Key Management is a managed service the enables you, the customer, to manage and control AES symmetric keys used to encrypt your data-at-rest. Keys are stored in a FIPS 140-2, Level 3-certified, Hardware Security Module (HSM) that is durable and highly available. The Key Management service is integrated with many Oracle Cloud Infrastructure services, including Block Volumes, File Storage, Oracle Container Engine for Kubernetes, and Object Storage.

  • What is a Vault?

    Oracle Vault is a logical grouping of Keys. The Vault must be created before any keys are generated or imported. There are two types of Vaults: Private and Virtual, which have different levels of isolation, pricing and computing.

  • How are Oracle Cloud Infrastructure tenants separated in the HSM?

    Each tenant can have zero to many Vaults. A private vault reserves 3,000 keys and has a dedicated partition on HSM. A partition is a physical boundary on the HSM, so Private Vaults have a high level of isolation. A Virtual Vault uses a multi-tenant partition so it has a moderate level of isolation, managed by software on the HSM.

  • When should I use the Key Management service?

    Use the Key Management service if you need to store your Master Encryption Keys in an HSM to meet governance and regulatory compliance requirements or when you want more control over the cryptoperiod of the encryption keys used for your data.

  • What are the default Limits for Key Management?

    Default is 10 Virtual Vaults with 100 keys per vault.

    Default for Private Vault is 0, with 1000 keys per vault.

    See Service Limits for reviewing and updating Limits for Key Management Service. You can submit a ticket to request an increase limits at any time.

  • How do I get started with Key Management service?

    Ensure that the Limits for your tenancy allow for creation of the vault type you intend to create.

    Ensure that IAM policies for the User account have the necessary permissions to create a Vault. See IAM Policy Reference to construct a statement.

    You first create a Key Management key vault by selecting Security from the Oracle Cloud Infrastructure Console, and then Key Management.

    Create a Vault and select from one of the two available Vault Types that best fits your isolation and processing requirements:

    • Private (VIRTUAL_PRIVATE): Chose a Private Vault if you require increased isolation on the HSM cluster and dedicated processing of encrypt/decrypt operations. The Private Vault uses Universal Credits at a higher rate.
    • Virtual (VIRTUAL): Choose a Virtual Vault if you want a lower priced metric based on key versions and are willing to accept a moderate isolation (multi-tenant partition in HSM) and shared processing for encrypt/decrypt operations.

    Create the [Master Encryption] Key(s) inside your Vault. Keys can be versioned as needed.

    Ensure that IAM policies for the service or entity calling Key Management has the necessary permissions. Example: allow service objectstorage-us-ashburn-1 to use keys in compartment

    Use the key(s):

    • With native Oracle Cloud Infrastructure storage: When creating storage (bucket, file, volume), mark with "ENCRYPT USING CUSTOMER-MANAGED KEYS", then select the Vault and the Master Encryption Key. Data in that bucket/volume/file storage will be encrypted with a data encryption key wrapped with the Master Encryption Key in Vault.
    • With crypto operations, using Command Line Interface (CLI) as an example:
      oci kms crypto encrypt --key-id --plaintext

    Crypto operations are available in SDK and API as well. For more details, see Overview of Key Management in the documentation.

    Monitor your usage of operations with metrics in the console and Monitoring service. Metrics and dimensions are here:

  • Which Oracle Cloud Infrastructure services integrate with Key Management?

    Currently, the following services integrate with Key Management:

    • Block Volumes (including cross-region backups/restores and Oracle Cloud Infrastructure Compute boot volumes)
    • Object Storage
    • File Storage Service
    • Oracle Container Engine for Kubernetes

    Several Marketplace offerings have native integration with Key Management service as well.

  • What is the difference between Oracle-Managed and Customer Managed Encryption?

    Customer-Managed means data encrypted in the storage service is transparently protected by Data Encryption Keys wrapped with your Key Management Master Encryption Keys.

    Oracle-Managed means data will be encrypted with an encryption key that Oracle maintains and shared for all Oracle-Managed storage in the region.

    In either case, the data is encrypted at rest. Customer-managed gives you more control over isolation, versioning and cryptoperiod.

  • Do I need to use Key Management for my data to be protected where it is stored?

    No. When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and Object Storage and don’t use Key Management, your data is protected using encryption keys that are securely stored and controlled by Oracle.

  • What capabilities does Key Management provide?

    The following key management capabilities are available when you use the Key Management service:

    • Create highly available key vaults to durably store your encryption keys
    • Bring your own symmetric key
    • Disable and re-enable keys
    • Rotate and version your keys
    • Constrain permissions on Vault and Keys using IAM policies
    • Monitor the lifecycle of your keys and vaults by using Oracle Audit
    • Monitor the crypto operations using your keys.
    • Delete keys that you no longer use
    • Delete key vaults that you no longer use
  • What key management capabilities are provided by services that integrate with Key Management?

    Services that integrate with Key Management provide you with the following key management capabilities:

    • Assign a key to a new resource
    • Add a key assignment to an existing resource
    • Change the key assignment for an existing resource
    • Remove the key assignment
  • What shape/length of keys can I create and store in Key Management?

    When you create a key, you can choose a key shape that indicates the key length and the algorithm used with it. All keys are Advanced Encryption Standard (AES), and you can choose from three key lengths: AES-128, AES-192, and AES-256. AES-256 is recommended.

  • Which Oracle Cloud Infrastructure regions is Key Management available in?

    Key Management is available in all Oracle Cloud Infrastructure regions.

    Managing Keys and Key Vaults

  • Can I rotate my keys?

    Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or ad hoc in case of a security incidence. Regularly rotating your keys (for example, every 90 days) by using the Console, API, or CLI limits the amount of data protected by a single key.

    Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.

  • Can I import keys into Key Management?

    Yes. Using an asymmetric RSA key pair, a customer must wrap the AES symmetric key and then it can be imported into the Key Management service.

  • Can I delete a key vault from Key Management?

    Yes, but not immediately. You can schedule the deletion of a key vault from Key Management by configuring a waiting period for deletion from 7 to 30 days. The key vault and all the keys created inside the key vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a key vault is deleted, it can’t be recovered.

  • Can I delete a key or key version?

    Yes, you can delete a key or a key version. You can disable a key, which will prevent any encrypt/decrypt operations using that key.

  • Is there a hard limit to the number of keys that I can create or store per key vault in Key Management?

    When you use a Private Vault to store your keys, you can create and store up to 3,000 key versions per key vault.

    When you use a Virtual Vault to store your keys, there is no hard limit.

    All key versions you store in a vault count towards this limit, regardless of the corresponding key being enabled or disabled.

    You can request a limit increase for keys stored inside a Vault by following the steps in Requesting a Service Limit Increase of the Oracle Cloud Infrastructure documentation. As both enabled and disabled keys count towards the limit, Oracle recommends deleting disabled keys that you no longer use.

    Using Keys

  • Do I always have to use the keys in Key Management service directly?

    No, you can generate Data Encryption Keys (DEK) that are wrapped with the Master Encryption Keys and encrypt your data with the DEK.

  • How do I use DEK (data encrypted key) to encrypt/decrypt data?

    You can use it with any encryption library (ex: Bouncy Castle, OpenSSL) to encrypt the data.

  • How do I log crypto operations?

    Submit a Service Request with information on the Oracle Cloud Infrastructure bucket to have operations configure your vault to send logging to that bucket.

    High Availability and Disaster Recovery

  • How does Oracle provide High Availability of keys in a region?

    Oracle uses a cluster of six HSMs that have provided a historical availability of five 9's.

  • Can I transfer and use my keys in a region that is different from where they were created?

    Currently, you can only use the keys in the region where you created them.


  • How will I be charged for using Key Management?

    When using a Virtual Vault type, you pay based on the number of key versions that you create, and you are charged at the end of the month for that month's usage.

    When using a Private Vault type, you pay an hourly fee for each vault that you create, and you are charged at the end of the month for that month’s usage. When storing your keys in a Private Vault type, you are not charged for the keys that you create inside your key vaults and use with supported Oracle Cloud Infrastructure services.

    For current pricing, see the Key Management pricing page.

  • Am I billed for my key vault when it is scheduled for deletion?

    No, you aren’t billed for the use of a key vault that is scheduled for deletion. If you cancel the deletion of your key vault during the waiting period, billing continues.

  • Are keys in pending deletion state still counted in quota limit?

    Yes, keys in pending deletion state still count toward your quota limit.


  • Can Oracle employees access my key material?


  • Who can use and manage the keys that I create and store in Key Management?

    You control the keys that you create and store in Key Management. You define the key usage and management policies and grant Oracle IAM users, groups, or services the rights to use, manage, or associate your keys with resources.

  • How are the keys I create inside my Key Management key vault secured?

    When you request the service to create a key on your behalf, Key Management stores the key and all subsequent key versions in HSM backed key vaults.

    When you request the service to create a key on your behalf inside a Private Vault, Key Management stores the key and all subsequent key versions in HSM backed key vaults using per-customer isolated partitions inside FIPS 140-2, Security Level 3 certified hardware security modules (HSMs) (you can view the FIPS 140-2 Security policy for the hardware used to back your key vault here:

    All key vault types containing your keys are replicated multiple times within a region to ensure the durability and availability of the keys. Plain-text key material can never be viewed or exported from the key vault. Only users, groups, or services that you authorize via an IAM policy can use the keys by invoking Key Management to encrypt or decrypt data.

  • Can I export a key that I created in Key Management?

    No. Your encryption keys are stored only in key vaults that are hosted inside FIPS 140-2, Level 3 certified HSMs, and you can’t export them from the key vaults.

  • What are best practices for IAM policies governing my Key Management service?

    Limit vault deletion permissions to minimal set of users by having the 'use' metaverb in IAM policies versus ‘manage’. Example: allow group VaultOperators to use vaults in compartment

    Limit assignment of vault and keys to storage to prevent unauthorized substitution.

    A common pattern example is here.