Data is the prime concern for any organization and to keep it secure many methods have been deployed. To keep data secure on the Oracle Cloud Infrastructure (OCI) we use Keys Management System (KMS).
Oracle Cloud Infrastructure Key Management is a managed service that enables you, the customer, to manage and control AES symmetric keys used to encrypt your data-at-rest.
Overview Of Key Management System (KMS)
Key is a Logical Entity that is created inside a Vault (a logical grouping of Keys). The Key Management service is integrated with many OCI services, including Block Volumes, File Storage, Oracle Container Engine for Kubernetes, and Object Storage.
To know more about Block Volume & Object Storage click here.
What Is A Vault?
Oracle Vault is a logical grouping of Keys. The Vault must be created before any keys are generated or imported. There are two types of Vaults: Private and Virtual, which have different levels of isolation, pricing, and computing.
Each Master Encryption key is assigned a key version. We cannot delete a key after creating it but can delete the Vault in which the key is created.
IAM Policies
Ensure that IAM policies for the User account have the necessary permissions to create a Vault.
Example: allow service objectstorage-us-ashburn-1 to use keys in compartment
Allow group <group name> to manage Keys in compartment <compartment name>
Allow group <group name> to use vaults in compartment <compartment name>
Allow service <service name> to manage keys in compartment <compartment name>
Note: The first two Policies are not required for the Administrators, but the third one will be necessary for every user.
Steps To Configure Key Management System
1) Open the navigation menu. Under the Governance and Administration group, go to Security and click Vault.
2) Under List Scope, in the Compartment list, click the name of the compartment where you want to create the vault then click Create Vault.
3) Enter a Display Name for the vault and choose the compartment, and then click Create Vault.
4) We can see the details of the created Vault.
5) Click Keys, and then click Create Key.
Note: We can select different Compartment for Key and Vault Creation
6) In the Create Key dialog box, Select the Compartment for Key creation, Enter a name for key, select key shape, and key length.
Note: The Key Management System supports AES (Advanced encryption system) and we can also select the Key size between 128, 196 and 256.
7) We can see the details of the key created.
Now we can assign this key to Object Storage or Block Volume to encrypt the data stored in these resources.
8) Navigate to the Object Storage you have created.
9) Select the Bucket on which we want to assign the created Key Object_Storage_key, then click on Assign in front of Encryption key.
10) Select vault and key which we want to add and then click Assign.
11) In the details of Object Bucket (Bucket_1), we can see that the key is assigned.
Note: We can rotate keys to generate a new key version that we can assign to the service. This will keep a limited data encrypted under each key version. We cannot use an older key version for encryption after rotating the keys.
Note: Rotating a key does not automatically re-encrypt data that was previously encrypted with the old key version, this data is re-encrypted the next time it’s modified by the customer.
To know more about Key Management System click here.
Conclusion
To keep the data secure in different storage services in OCI is very important. To make it possible we use the Key Management System. In this post, I have covered the overview of the Key Management System and steps to Create KMS in OCI. I hope it will help you understand the concept of KMS in OCI.
KMS is also covered in our OCI Architect Professional [1z0-997] Certification training. To know more about this training click here.
Related/Further Readings
- Oracle Cloud Infrastructure 2019 Architect Professional | 1Z0-997
- [1Z0-997]Oracle Cloud Infrastructure (OCI) Architect Professional Certification: Step by Step Hands-On Lab
- SSL/TLS on Load Balancer
- Key Management FAQ’s
- WAF in OCI
- Traffic Management in OCI
Next Task For You
In our OCI Architect Professional [1Z0-997] Certification training, we cover KMS in OCI in Design for Security & Compliance module. In this module, we also cover the Security Overview, Identity & Access Management (IAM), Web Application Firewall (WAF), Data Safe.
For the list of Hands-On guide click here.
soushya says
Useful blog.
Rahul Dangayach says
Hi Soushya,
We are Glad you liked our blog.
Please stay tuned for more informative blogs.
Thanks and Regards
Rahul Dangayach
Team K21 Academy
Vishak says
Nice one. Simple and useful.
Rahul Dangayach says
Hi Vishak,
We are Glad you liked our blog.
Please stay tuned for more informative blogs.
Thanks and Regards
Rahul Dangayach
Team K21 Academy