What is Oracle Cloud Infrastructure Key Management?
Oracle Cloud Infrastructure Key Management is a managed service that enables you to encrypt your data using keys that you control. Key Management provides you with centralized key management capabilities, highly available, durable, and secure key storage using per-customer isolated partitions in FIPS 140-2 Level 3 certified hardware security modules (HSMs), and integration with select Oracle Cloud Infrastructure services.
When should I use the Key Management service?
Use the Key Management service if you need to ensure and verify your security governance, regulatory compliance, and homogenous encryption of data where it is stored by centrally managing, storing, and monitoring the life cycle of the keys that you use to protect your data.
How do I get started with Key Management?
You first create a Key Management key vault in the Governance and Administration section of the Oracle Cloud Infrastructure Console. Then you create keys inside your key vault that you later use with supported Oracle Cloud Infrastructure services. To encrypt your data using these keys, you simply select a key from the Key Management service when you create or update a block volume or bucket. You can use the Key Management service through the Console, API, or CLI to create, use, rotate, enable, and disable your encryption keys. For more information, see Overview of Key Management in the documentation.
Which Oracle Cloud Infrastructure services integrate with Key Management?
Currently, Oracle Cloud Infrastructure Block Volumes (including Oracle Cloud Infrastructure Compute boot volumes) and Oracle Cloud Infrastructure Object Storage integrate with Key Management to protect the data that you store with these services using keys that you control.
Do I need to use Key Management for my data to be protected where it is stored?
No. When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and Object Storage and don’t use Key Management, your data is protected using encryption keys that are securely stored and controlled by Oracle.
What capabilities does Key Management provide?
The following key management capabilities are available when you use the Key Management service:
- Create highly available key vaults to durably store your encryption keys
- Create keys with a display name that helps you identify the key and the type of data you plan to protect when using it
- Quickly disable keys so they can’t be used by anyone
- Re-enable disabled keys
- Rotate your keys to meet your security governance and regulatory compliance needs
- Define which Oracle Cloud Infrastructure Identity and Access Management (IAM) users or groups can manage keys and key vaults
- Define which IAM users, groups, or services can use keys to encrypt and decrypt your data
- Define which IAM users or groups can associate keys with other Oracle Cloud Infrastructure resources (for example, block volumes or buckets)
- Monitor the life cycle of your keys and key vaults by using Oracle Audit
- Delete key vaults that you no longer use
What key management capabilities are provided by services that integrate with Key Management?
Services that integrate with Key Management provide you with the following key management capabilities:
- Assign a key to a new resource
- Add a key assignment to an existing resource
- Change the key assignment for an existing resource
- Remove the key assignment
What type of keys can I create and store in Key Management?
When you request Key Management to create a key on your behalf, you can choose a key shape that indicates the key length and the algorithm used with it. Currently, all keys are Advanced Encryption Standard (AES) keys, and you can choose from three key lengths: AES-128, AES-192, and AES-256.
Which Oracle Cloud Infrastructure regions is Key Management available in?
Key Management is available in all Oracle Cloud Infrastructure regions.
Managing Keys and Key Vaults
Can I rotate my keys?
Yes. You can regularly rotate your keys in alignment with your security governance and regulatory compliance needs or ad hoc in case of a security incidence. Regularly rotating your keys (for example, every 90 days) by using the Console, API, or CLI limits the amount of data protected by a single key.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time it’s modified by the customer. If you suspect that a key has been compromised, you should re-encrypt all data protected by that key and disable the prior key version.
Can I import keys into Key Management?
No. Currently, you can’t import a key from your existing key management solution to the Key Management service.
Can I delete a key vault from Key Management?
Yes. You can schedule the deletion of a key vault from Key Management by configuring a waiting period for deletion from 7 to 30 days. The key vault and all the keys created inside the key vault are deleted at the end of the waiting period, and all the data that was protected by those keys is no longer accessible. After a key vault is deleted, it can’t be recovered.
Can I delete a key from Key Management?
No. Currently, you can’t delete keys.
Is there a limit to the number of keys that I can create or store per key vault in Key Management?
You can create or store up to 1,000 key versions per key vault. All key versions you store in a vault count towards this limit, regardless of the corresponding key being enabled or disabled. You can request a limit increase for keys stored inside a key vault by following the steps in Requesting a Service Limit Increase of the Oracle Cloud infrastructure documentation.
How will I be charged for using Oracle Key Management?
When using Key Management, you pay an hourly fee for each key vault that you create, and you are charged at the end of the month for that month’s usage. You are not charged for the keys that you create inside your key vaults and use with supported Oracle Cloud Infrastructure services. For current pricing, see the Key Management pricing page.
Am I billed for my key vault when it is scheduled for deletion?
No, you aren’t billed for the use of a key vault that is scheduled for deletion. If you cancel the deletion of your key vault during the waiting period, billing continues.
Who can use and manage the keys that I create and store in Key Management?
You control the keys that you create and store in Key Management. You define the key usage and management policies and grant Oracle IAM users, groups, or services the rights to use, manage, or associate your keys with resources.
How are the keys I create inside my Key Management key vault secured?
When you request the service to create a key on your behalf, Key Management stores the key and all subsequent key versions in key vaults that use per-customer isolated partitions inside FIPS 140-2 Level 3 certified hardware security modules (HSMs). You can view the FIPS 140-2 security policy for the hardware used to back your key vault at https://csrc.nist.gov. All key vaults that contain your keys are replicated multiple times within a region to ensure the durability and availability of the keys. Plain-text key material can never be viewed or exported from the key vault. Only users, groups, or services that you authorize via an IAM policy can use the keys by invoking Key Management to encrypt or decrypt the data.
Can I export a key that I created in Key Management?
No. Your encryption keys are stored only in key vaults that are hosted inside FIPS 140-2, Level 3 certified HSMs, and you can’t export them from the key vaults.
Can I transfer and use my keys in a region that is different from where they were created?
Currently, Key Management stores your keys, and you can use them only in the region in which you created them.