Key Management FAQ
General questions
What is Oracle Cloud Infrastructure Key Management Service (KMS)?
The Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) is a cloud-based service that provides centralized management and control of encryption keys for data stored in OCI. OCI KMS is customer-managed encryption and offers the following services:
- OCI Vault: OCI Vault is a customer-managed encryption service that enables you to control the keys that are hosted in OCI hardware security modules (HSMs) while Oracle manages and administers the HSMs. OCI Vault offers the following options:
- Virtual Vault: Virtual Vault is a multitenant encryption service where your keys are stored in HSM partitions that also host keys of other customers. It’s the default encryption service in OCI Vault.
- Private Vault: Private Vault is a single-tenant encryption service that stores keys in a dedicated HSM partition with dedicated cores that are isolated to your tenancy.
- OCI Dedicated KMS: Coming soon, OCI Dedicated KMS is single-tenant HSM partition as a service that provides a fully isolated environment for storing and managing encryption keys. The difference between Private Vault and OCI Dedicated KMS is how the HSM partitions are controlled. With OCI Dedicated KMS, you can control and claim ownership of the HSM partitions and use standard interfaces, such as PKCS#11, to perform cryptographic operations. Oracle still administers these HSM partitions for security and firmware patching.
- OCI External KMS: External KMS enables you to use your own, third-party key management system to protect data in OCI services. You control the keys and HSM outside OCI, and you’re responsible for the administration and manageability of those HSMs. Your master keys are always stored outside OCI and never imported into OCI External KMS, so the encrypt and decrypt operations happen outside of OCI.
To learn more about OCI encryption offerings refer this blog.
What security and compliance requirements are met by OCI KMS?
OCI KMS uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification to protect your keys. The FIPS certificate can be found on the NIST Cryptographic Module Validation Program (CMVP) website here.
OCI KMS has been validated with the functionality and security controls to help you meet the encryption and key management requirements of the PCI DSS 3.2.1 (primarily referenced in sections 3.5 and 3.6).
What capabilities or features supported by OCI KMS?
OCI KMS supports varied functionalities to enable you to control your keys and ensure the required security protection for your data in OCI services. Below is the feature matrix for critical functionalities across different services within OCI KMS.
| Capabilities | Virtual vault | Private vault | Dedicated KMS (Coming soon) | External KMS |
|---|---|---|---|---|
| FIPS 140-2 Level 3 HSMs | Yes | Yes | Yes | External |
| Symmetric (AES) encryption | Yes | Yes | Yes | Yes |
| Asymmetric (RSA and ECDSA) encryption | Yes | Yes | Yes | No |
| Software keys | Yes | Yes | No | External |
| Backup/restore | No | Yes | Yes | No |
| Cross region replication | Coming soon | Yes | No | No |
| Bring Your Own Key | Yes | Yes | Yes | External |
| OCI Services Integration (Storage, Database, SaaS) | Yes | Yes | No | Yes |
| Automatic key rotation | Coming soon | Coming soon | No | No |
| Audit log | Yes | Yes | Yes | Yes |
| Scheduled delete | Yes | Yes | Yes | Yes |
How does Oracle provide high availability of keys in a region? What geographic regions are my keys stored in?
Oracle uses a cluster of nodes and HSMs to store replicas of your keys in the same region where they were created, which enables us to provide 99.9% service level agreement (SLA) and 99.99 % service level objective (SLO) for key management. Please see Oracle PaaS and IaaS Public Cloud Services Pillar Document.
A key is stored and used only in the region in which it was created. If you want to backup/replicate your keys to another region in the realm to meet compliance or DR requirements, you can use cross-region backup and restore or cross-region replication.
What is the difference between OCI KMS and Oracle Key Vault (OKV)?
OCI KMS is a cloud native key management service that Oracle recommends for all your cloud applications. OCI KMS is natively integrated to many OCI services related to Storage, Database, and SaaS services such as FA. If you are looking for a centralized key management in Oracle Cloud and a managed service for all your cloud applications with pay-as-you-go pricing structure, then OCI KMS is the one Oracle recommends.
Oracle Key Vault is another key management product from Oracle. Oracle Key Vault provides key management for TDE-enabled Oracle Databases running in both on-premises (including Oracle Exadata Cloud@Customer and Oracle Autonomous Database—Dedicated) and OCI as well as key management for encrypted Oracle GoldenGate trail files and encrypted Oracle Automatic Storage Management Cluster File Systems.
In what OCI regions does OCI KMS exist, and where can I find resources for OCI KMS?
OCI KMS is available in all OCI regions and realms including Government, EU Sovereign Cloud, Oracle National Security Regions, and OCI Dedicated Region Cloud@Customer. You can learn more about region availability and OCI KMS offerings in our documentation and blogs.
Vault
What is OCI Vault?
OCI Vault is a secure, resilient fully managed service that lets you focus on your data encryption needs without worrying about time-consuming administrative tasks required to achieve high availability, such as hardware provisioning and software patching. Vault uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification to protect your keys. OCI Vault is Oracle’s native Gen 2 Cloud encryption service.
Vault support different types of encryption keys—symmetric (AES keys) and asymmetric (RSA and ECDSA keys)—and a generic set of workloads, including Oracle Exadata Cloud Service, Oracle Autonomous Database, Transparent Data Encryption in Oracle Database, and non-database workloads.
There are two types of OCI Vault: Private Vault and the default Virtual Vault. The type of Vault you create determines the degree of isolation and performance for your keys. Each tenant can have zero to many Vaults.
A Private Vault provides dedicated partition on the HSM (single tenant). A partition is a physical boundary on the HSM which is isolated from other partitions. Private Vault provides better and consistent transactions per second for cryptographic operations. These are single-tenant HSMs. Private Vaults also have additional features such as Cross Region Replication and Cross Region Backup and Restore of Keys.
The default Virtual Vault uses a multitenant partition, providing a moderate level of isolation.
Both Vault options enable you to create master encryption keys stored in one of the following ways:
- HSM keys: A master encryption key protected by an HSM is stored on an HSM and cannot be exported from the HSM. All cryptographic operations involving the key also happen on the HSM. These keys are FIPS Level 3 compliant.
- Software keys: A master encryption key protected by software is stored on a server and can be exported from the server to perform cryptographic operations on the client instead of on the server. While at rest, the software-protected key is encrypted by a root key on the HSM. These keys are FIPS Level 1 compliant.
What capabilities does OCI Vault provide?
The following key management capabilities are available when you use OCI Vault:
- Create your own encryption keys that protect your data
- Bring your own keys
- Rotate your keys
- Create and verify digital signatures with sign and verify operations using your asymmetric keys
- Support for cross-region backup and restore for your Vaults and keys (Private Vaults only)
- Support for cross-region replication of Vaults and keys (Private Vaults only)
- Temporarily disable keys to protect data
- Schedule the deletion of keys and vaults that you no longer use
- Constrain fine-grained permissions on management and usage of keys and Vaults using OCI IAM policies.
- Monitor key and Vault lifecycle state with Oracle Audit and Database Firewall
- Seamless integration to OCI internal services: Oracle Exadata Cloud Service, Oracle Autonomous Database—Dedicated, and Oracle Cloud Infrastructure (OCI) Block Storage, File Storage, Object Storage, Streaming, and Container Engine for Kubernetes.
In OCI Vault you can create Advanced Encryption Standard (AES-GCM), Rivest-Shamir-Adleman (RSA), and Elliptic Curve Digital Signature Algorithm (ECDSA) keys. For AES keys, you can choose from three key lengths: AES-128, AES-192, and AES-256. AES-256 is recommended. OCI Vault supports the following asymmetric key types: RSA 2048, RSA 3072, RSA 4096, NIST P-256, NIST P384, and ECC_NIST521.
You can create and use AES symmetric keys and RSA asymmetric keys for encryption and decryption. You can also use RSA or ECDSA asymmetric keys for signing digital messages.
For more details and to get started, see Overview of OCI Vault.
Where is my data encrypted if I use OCI Vault?
You can directly submit data to key management APIs to encrypt and decrypt using your master encryption keys stored in the Vault. Also, you can encrypt your data locally within your applications and OCI services using a method known as envelope encryption.
With envelope encryption, you generate and retrieve data encryption keys (DEKs) from key management APIs. DEKs are not stored or managed in the key management service, but are encrypted by your master encryption key. Your applications can use DEKs to encrypt your data and store the encrypted DEKs along with the data. When your applications want to decrypt the data, you should call decrypt to the key management API on the encrypted DEK to retrieve the DEK. You can the decrypt your data locally with the DEK.
Why use envelope encryption? Why not just send data to OCI Key Management Service and OCI Vault to encrypt directly?
Key management supports sending up to 4 KB of data to be encrypted directly. In addition, envelope encryption can offer significant performance benefits. When you encrypt data directly with key management APIs, it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller DEKs go over the network. The DEK is used locally in your application or encrypting OCI service, avoiding the need to send the entire block of data.
Can I bring my own keys (BYOK) to OCI Vault?
Yes. You can import a copy of your key from your own key management infrastructure to OCI Vault and use it with any integrated OCI services or from within your own applications. You can import all algorithms of keys: AES, RSA, and ECDSA keys. Import of both types of keys is supported—HSM as well as software keys. Note: You cannot export HSM keys out of the HSM.
Can I rotate my keys?
Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or do it ad hoc in case of a security incident. Regularly rotating your keys (for example, every 90 days) by using the console, API, or CLI, limits the amount of data protected by a single key.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.
Can I delete a Vault or key?
Yes, but not immediately. You can schedule the deletion of a Vault, key, or key version by configuring a waiting period from 7 to 30 days.
For Vault deletion, the Vault and all the keys created inside the Vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a Vault is deleted, it can’t be recovered.
You can also disable a key, which will prevent any encrypt/decrypt operations using that key.
Can I transfer and use my keys in a region that is different from where they were created ?
Yes. Vault supports cross-region replication of keys and vaults. You can replicate Private Vaults from one region to another region to make them and the keys that they contain available to meet compliance requirements or to improve latency.
When you configure cross-region replication for a Private Vault, the Vault service automatically synchronizes the creation, deletion, update, or move of any keys or key versions between the initiating vault and a vault in one destination region. The vault from which the service replicates data is known as the source vault. The vault in the destination region to which the service replicates data from the source vault is known as the vault replica. The service supports cryptographic operations against the vault and keys in the destination region.
OCI Vault also supports cross-region backup and restore for Private Vault so that keys can be used in a region different from where they were created. Backup and restore meets FIPS requirements as real key materials are not exported, rather a binary object that represents the key material. Restore operations can happen only to the OCI-managed HSMs.
How am I charged for using OCI Key Management Service and OCI Vault?
You are charged based on the type of Vault that’s created.
By default, your Vault is charged based on the number of key versions. Software-protected keys are free, but HSM-protected keys are charged 53 cents per key version. (The first 20 key versions are free). However, if you create a Private Vault (single-tenant HSM), you are priced per hour. The pricing starts from the time of creation of the Vault and continues until the Vault is scheduled to be deleted. You are not charged for key versions within a Private Vault.
You are not billed based on the number of API requests for Vaults and keys made to the service for any of the management or cryptographic operations.
For more details, please refer to Oracle Cloud Security pricing.
Keys scheduled for deletion: You aren’t billed for the keys that are scheduled for deletion. If you cancel the deletion of your keys, then the billing resumes.
What are the default limits for OCI Vault?
The Private Vault limit is 0 by default. Users should request a limit increase to use it. Once Private Vault is enabled, users get a soft limit of 1,000 and hard limit of 3,000 symmetric key versions.
When you use the default Virtual Vault to store your keys, there is no hard limit. The default is 10 Vaults with 100 keys per Vault.
All key versions you store in a Vault count toward this limit, regardless of the corresponding key being enabled or disabled.
The limits imposed on OCI Vault are governed by OCI service limits. Default limits are set for all tenancies. Customers can request a service limit increase for keys stored inside a Vault by following the steps described here in the Oracle Cloud Infrastructure documentation. As both enabled and disabled keys count toward the limit, Oracle recommends deleting disabled keys that you no longer use.
Who can use and manage my keys in OCI Vault, and can I see who made changes to the lifecycle state of keys and Vaults?
When you use OCI Key Management Service to encrypt or decrypt data, only users, groups, or services that you authorize via an OCI IAM policy can manage and use the keys. You can enforce fine-grained usage and management policies to give specific users specific permissions.
To track lifecycle state changes, you can use logs in OCI Audit, which will show all OCI Vault management request details, such as create, rotate, disable, and more, for all the Vaults, keys or key versions in your tenancy.
Dedicated Key Management Service
Coming soon
External Key Management Service
What is OCI External Key Management Service (OCI External KMS)?
OCI External KMS is a service that allows customers to use encryption keys that are stored and managed outside OCI. This can be useful for customers who have regulatory requirements to store encryption keys on-premises or outside OCI, or who want to have more control over their encryption keys. Please refer to this blog for additional details.
What are the benefits of OCI External KMS?
The service helps customers address the following:
- Data sovereignty, compliance, and regulations: OCI External KMS helps customers maintain control over their encryption keys and where they store those keys. This is beneficial for organizations that must comply with strict data sovereignty requirements, such as the EU General Data Protection Regulation (GDPR).
- Trust and assurance: OCI External KMS enables customers to own and manage the cryptographic module and become the custodians of their encryption keys. This is beneficial for organizations that must demonstrate their control over encryption processes to end customers, partners, and stakeholders.
What are the operational considerations for using OCI External KMS?
OCI External KMS gives customers more control over their encryption keys, but it also comes with operational responsibility: Customers must administer, manage, and maintain encryption keys and hardware security modules (HSMs) on-premises. This is a different ownership model than the existing OCI Vault service, where Oracle manages and administers the HSM infrastructure on behalf of customers.
How do I rotate keys in OCI External KMS?
To rotate a key (also known as a key reference) in OCI External KMS, you will need to first rotate keys in the Thales CipherTrust Manager using the step below, as the key material is stored outside OCI.
- Add a new external key version in the Thales CipherTrust Manager.
In OCI, you can then click Rotate Key Reference and type the External Key Version ID from the previous step.
What OCI services are supported by OCI External KMS?
OCI External KMS supports symmetric encryption keys and is compatible with applications that are already integrated with OCI Vault. As a result, customers don’t have to modify applications to benefit from OCI External KMS—they can use and associate keys in the same way they would with OCI Vault and with the same SLA of 99.9%.
The following services are integrated with OCI Vault and can benefit from OCI External KMS without any changes:
- Oracle Cloud Infrastructure Object Storage, Block Volume, and File Storage
- Oracle Cloud Infrastructure Container Engine for Kubernetes
- Oracle Database, including Oracle Autonomous Database on Dedicated Exadata Infrastructure, Oracle Autonomous Database on Shared Exadata Infrastructure, Oracle Database Cloud Service, and Database as a Service
- Oracle Fusion Cloud Applications
What happens if I deactivate, block, or remove keys from the Thales CipherTrust Manager in OCI External KMS? Will my data in OCI remain accessible?
OCI External KMS is designed in such a way that OCI doesn’t have any access to the actual cryptographic key material. Once a customer has blocked the key in the Thales CipherTrust Manager, OCI has no way to use the key reference to decrypt data or perform any operation using that key reference.
You can also then disable/delete the key references from your OCI console.
Does OCI External KMS support cross-region replication of keys/vaults?
OCI External KMS currently does not support cross-region replication of keys/vaults.
What is the pricing for OCI External KMS?
OCI External KMS costs US$3 per key version per month, and there is no additional cost for the use of these key versions. Customers have a soft limit of 10 vaults and 100 key versions per vault. Please contact Thales to learn about CipherTrust Manager pricing and limits.
How do I learn more about OCI External KMS?
You can learn more about OCI External KMS by reading the technical documentation or by trying it out in the OCI console. Access the External KMS in the OCI console by selecting Identity and Security in the OCI navigation menu, then Key Management and Secret Management, and then External Key Management.