External Key Management Service

Overview of External KMS functionality with its use case and benefits.

The OCI Key Management Service (KMS) uses a Hardware Security Module hosted within Oracle data Center for storing and managing master keys for encrypting data at rest. For enhanced data security and for customers who have regulatory compliance to store keys outside Oracle cloud or any third-party cloud premises, OCI KMS now offers a functionality called External Key Management Service (External KMS).

In External KMS, you can store and control master encryption keys (as external keys) on a third-party key management system hosted outside OCI. You can then use these keys for encrypting your data in Oracle. You can also disable your keys anytime. With the actual keys residing in the third-party key management system, you create only key references (associated to the key material) in OCI.
Note

In OCI External KMS, Thales is our first third-party external key management vendor and throughout the documentation, we will be referring to Thales CipherTrust Manager (CM) as our external key manager.

Benefits

Following are the benefits of External KMS offering in OCI KMS service.

  • Key provenance – You can manage the usage of externally created keys. The external keys are never cached or stored anywhere in Oracle and KMS doesn't have any control over these keys. Instead, OCI KMS interacts directly with the third-party key management system for cryptographic (encrypt/decrypt) operations.
  • Enhanced security - Protects data at rest with maximum security using a third-party key management system. Provides high level of security in storing keys outside Oracle cloud.
  • Centralized key management - You can manage your keys in a third-party key management system. This provides greater control over encryption keys that protect your data in Oracle cloud.

Use Case

Following are the use cases where you can implement External KMS functionality.

  • Banks and public sectors who have regulatory compliance, prefer to store encryption keys on-premises which is physically separated from their data in the Oracle Cloud.
  • Banking customer that has security compliance to perform cryptographic operations outside Oracle and in their on-premises HSM for exclusive security with cloud vendor in accessing the keys.
  • Customers who choose a multi-cloud deployment require databases in OCI to connect with encryption services on a different cloud vendor. The External KMS functionality is a key enabler to the success for OCI's multi cloud strategy.

Terminology

Familiarize the following terminologies to understand External KMS functionality:

Terminology Description
External Key Manager HSM owned and hosted by the customer.
External Vault Vault created in the third-party key management system for storing the external keys.
External key Keys created in the third-party key management system that contains one or more external key versions.
External key versions Each external key is automatically assigned a key version. When you rotate an external key, the external key manager generates a new key version.
Third party key management system HSM owned and hosted by the customer.
Fast connect FastConnect is a way to create a private connection between customer on-prem and Oracle Cloud Infrastructure.
Private endpoints (PE) A private endpoint is a private IP address within the customer's VCN that one can use to access a given service within Oracle Cloud Infrastructure.
Data encryption key (DEK) Encryption key whose function it is to encrypt and decrypt the data.
Thales CipherTrust Manager (CM) Centrally manages encryption keys, provide granular access control and configure security policies that integrates with FIPS 140-2 compliant Thales Luna or third-party Hardware Security Modules (HSMs) for securely storing keys with a highest root of trust.