Oracle Cloud Infrastructure Documentation

Creating a Master Encryption Key

Create a vault master encryption key.

    1. Open the navigation menu, click Identity & Security, and then click Vault.
    2. Under List scope, select a compartment that contains the vault that contains the key that you want to create.
    3. Click the name of the vault where in which you want to create the key.

      If you need to create a new vault for the key, follow the instructions in the Create Vault, and then click the name of the vault.

    4. Under Resources, click Master Encryption Keys, and then click Create Key.
    5. Click Master Encryption Keys, and then click Create Key. Keys can also exist is a different compartment then the vault.
    6. For Protection Mode, select one of the following options:
      • To create a master encryption key that is stored and processed on a hardware security module (HSM), choose HSM.
      • To create a master encryption key that is stored and processed on a server, choose Software.

      You cannot change a key's protection mode after you create it. For more information about keys, including information about key protection modes, see Key and Secret Management Concepts.

    7. Enter a name to identify the key. Avoid entering confidential information.
    8. For Key Shape: Algorithm, select from one of the following algorithms:
      • AES. Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.
      • RSA. Rivest-Shamir-Adleman (RSA) keys are asymmetric keys, also known as key pairs that consists of a public key and a private key. You can use them to encrypt data in transit, to sign data, and to verify the integrity of signed data.
      • ECDSA. Elliptic curve cryptography digital signature algorithm (ECDSA) keys are asymmetric keys that you can use to sign data and to verify the integrity of signed data.
    9. If you selected AES or RSA, select the corresponding key shape length in bits.
    10. If you selected ECDSA, select a value for Key Shape: Elliptic Curve ID.
    11. To create a key by importing a publicly wrapped key, select Import External Key check box and provide the following details:
      • Wrapping Key Information. This section is read-only, but you can view the public wrapping key details.
      • Wrapping Algorithm. Select RSA_OAEP_AES_SHA256 (RSA-OAEP with a SHA-256 with a temporary AES key).
      • External Key Data Source. Upload the file that contains the wrapped RSA key material.
    12. Select Auto rotation check box to enable auto key rotation.
    13. In the Auto-rotation Schedule section, provide the following details:
      • Start date. Use the calendar icon to select a date to start the key rotation schedule. The rotation happens approximately on or before the scheduled date. For example, if you create a key today or update an existing key, schedule the auto rotation start date as April 10 with a predefined interval of 90 days, then auto rotation will start approximately on or before July10 (April 10 + 90 days).
        Note

        KMS ensures automatic rotation happens on or before the rotation interval even if it means to start the rotation a few days before the scheduled interval.
      • Rotation interval. Select a predefined interval within which the keys must be rotated. By default, the interval is set as 90 days. To customize the rotation interval, you can select Custom.
      • Custom Rotation Interval. Enter a custom interval (between 60 to 365 days) other than the predefined rotation interval.
      Note

      However, you can always edit the auto-rotation settings after the key is created.
    14. Optionally, to apply tags, click Show advanced options.
      If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
    15. click Create Key.

  • Use the oci kms management key create command and required parameters to create a master encryption key:

    oci kms management key create --compartment-id <target_compartment_id> --display-name <key_name> --key-shape <key_encryption_information> --endpoint <control_plane_url> --is-auto-rotation-enabled <true | false> --auto-key-rotation-details <schedule_interval_information>

    For example:

    oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{"algorithm":"AES","length":"16"}' --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --is-auto-rotation-enabled enabled --auto-key-rotation-details '{"rotationIntervalInDays": 90, "timeOfScheduleStart": "2024-02-20T00:00:00Z"}'

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateKey operation to create a new vault master encryption key using the KMSMANAGMENT endpoint.

    You can see the CreateKeyDetails operation for details of the key that you want to create.

    Note

    Each region uses the KMSMANAGMENT endpoint for managing keys. This endpoint is referred to as the control plane URL or vault management endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.