Oracle Cloud Infrastructure Documentation

Creating a Master Encryption Key

Learn about creating master encryption keys.

Note the following when creating master encryption keys:

  • Auto-rotation: When you create a master encryption key in a virtual private vault, you have the option of enabling automatic key rotation. See the Automatic Key Rotation section of the Key and Secret Management Concepts topic for complete details. See Enabling and Updating Auto Key Rotation for instructions on updating auto-rotation settings.

  • Available algorithms: You can select from the following algorithms when creating a key:
    • AES: Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.
    • RSA: Rivest-Shamir-Adleman (RSA) keys are asymmetric keys, also known as key pairs that consists of a public key and a private key. You can use them to encrypt data in transit, to sign data, and to verify the integrity of signed data.
    • ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) keys are asymmetric keys that you can use to sign data and to verify the integrity of signed data.

For more information on keys in OCI's Key Management service, see Keys in the the Key and Secret Management Concepts topic.

    1. Open the navigation menu, select Identity & Security, and then select Vault.
    2. Under List scope, select a compartment that contains the vault that contains the key that you want to create.
    3. Select the name of the vault where in which you want to create the key.

      If you need to create a new vault for the key, follow the instructions in the Create Vault, and then select the name of the vault.

    4. Under Resources, select Master Encryption Keys, and then select Create Key.
    5. Select Master Encryption Keys, and then select Create Key. Note that keys can be created in a different compartment than that of the vault.
    6. For Protection Mode, select one of the following options:
      • HSM: Select this option to create a master encryption key that's stored and processed on a hardware security module (HSM).
      • Software: Select this option to create a master encryption key that is stored and processed on a server.

      You can't change a key's protection mode after you create it. For more information about keys, including information about key protection modes, see Key and Secret Management Concepts.

    7. Enter a name to identify the key. Avoid entering confidential information.
    8. For Key Shape: Algorithm, select one of the following algorithms:
      • AES: Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.
      • RSA: Rivest-Shamir-Adleman (RSA) keys are asymmetric keys, also known as key pairs that consists of a public key and a private key. You can use them to encrypt data in transit, to sign data, and to verify the integrity of signed data.
      • ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) keys are asymmetric keys that you can use to sign data and to verify the integrity of signed data.
    9. RSA only. If you selected AES or RSA, select the corresponding key shape length, in bits.
    10. ECDSA only. If you selected ECDSA, select a value for Key Shape: Elliptic Curve ID.
    11. Imported keys only. To create a key by importing a publicly wrapped key, select the Import External Key checkbox and provide the following details:
      • Wrapping Algorithm: Select RSA_OAEP_AES_SHA256 (RSA-OAEP with an SHA-256 hash for a temporary AES key).
      • External Key Data Source: Upload the file that contains the wrapped RSA key material.
    12. Optional. Select the Auto rotation checkbox to enable auto key rotation. Note that you can edit auto-rotation settings after the key is created.
    13. For auto-rotation only. In the Auto-rotation Schedule section, provide the following details:
      • Start date: Use the calendar icon to select a date to start the key rotation schedule. The rotation happens on or before the scheduled date. For example, if you create a key today or update an existing key, and schedule the auto rotation start date as April 10 with a predefined interval of 90 days, then auto rotation starts on or before July 10 (April 10 + 90 days).
        Note

        KMS ensures automatic rotation happens on or before the conclusion of the rotation interval. Rotation might start up to a few days before the scheduled interval.
      • Rotation interval: Select a predefined interval within which the keys must be rotated. By default, the interval is set as 90 days.
      • Optional. Custom: Select this option to set a custom rotation interval between 60 to 365 days.
    14. Optional. To apply tags, select Show advanced options.
      If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
    15. Select Create Key.

  • Use the oci kms management key create command and required parameters to create a master encryption key:

    oci kms management key create --compartment-id <target_compartment_id> --display-name <key_name> --key-shape <key_encryption_information> --endpoint <control_plane_url> --is-auto-rotation-enabled <true | false> --auto-key-rotation-details <schedule_interval_information>

    For example:

    oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{"algorithm":"AES","length":"16"}' --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --is-auto-rotation-enabled enabled --auto-key-rotation-details '{"rotationIntervalInDays": 90, "timeOfScheduleStart": "2024-02-20T00:00:00Z"}'

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateKey operation to create a new vault master encryption key using the KMSMANAGMENT endpoint.

    You can see the CreateKeyDetails operation for details of the key that you want to create.

    Note

    Each region uses the KMSMANAGMENT endpoint for managing keys. This endpoint is referred to as the control plane URL or vault management endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.