BLOG
Table of Contents
Security Data
A note of OCI Architect Associate & Professional

Encryption Basics

  • symmertric algorithm: AES
  • asymmetric algorithm: RSA
  • digital signing algorithm: ECDSA

Vault Service

Oracle Cloud Infrastructure Vault is a key management service that stores and manages master encryption keys and secrets for secure access to resources.

  • supports AES, RSA, and ECDSA algorithms
  • Several services integrate with OCI Vault
  • Users can use the Vault service to create and manage the following resources:
    • Vaults
    • Keys
    • Secrets

Vaults

Vaults are logical entities where the Vault service creates and durably stores keys and secrets

  • Virtual private vault
    • Is a dedicated isolated partition in a hardware security module (HSM)
    • Can store up to 1000 key versions by default
    • Provides better isolation of your key/secret
    • Can backup to object
  • Valut in a shared partition
    • Shares the same partition with multiple tenants
    • Charges only for the number of keys/secrets stored

Keys

Keys are logical entities that represent one or more key versions, each of which contains cryptographic material
A key's cryptographic material is generated for a specific algorithm that lets you use the key for encryption or digital signing.

Vault service recognizes three types of keys.

Master encryption keys (MEK)

  • You can create or import MEKs into Vault
  • MEKs are used to generate data encryption keys (DEK)
  • MEKs are always created in a vault
  • Protection mode indicates how MEK persists and where cryptographic operations are performed

Data encryption keys (DEK)

  • Generated by the master encryption key, used to encrypt data
  • DEK is encrypted with MEK, known as envelope encryption
  • OCI services don't have access to plaintext DEK

Wrapping keys

  • A wapping key is included with each vault by default
  • Use the public wrapping key when you need to wrap key material for import into the vault service
  • You cannot create, delete, or rotate wrapping keys

MEKs: Protection Modes

MEKs can have one of two protection modes:

HSM

  • Stored in an HSM
  • Cannot be exported from HSM
  • All cryptographic operations happen inside HSM

Software

  • Stored on a server
  • Can be exported to perform cryptographic operations
  • Software protected while at rest
  • Encrypted by a root key on HSM

Rotating Keys

  • Each MEK is automatically assigned a key version
  • When you rotate a MEK, a new key version is generated
  • Periodically rotating keys limits the amount of data encrypted or signed by one key version
  • Key rotation reduces the risk if a key is ever compromised
  • A key's OCID remains the same across rotations
  • Older versions cannot be used for encryption, but can be used to decrypt data previously encrypted with it

Import and Export keys

Importing Keys or Key Version

  • You can import your own AES and RSA keys into the OCI Vault service
  • After being imported, the function will be the same as if the keys were generated by the OCI Vault service
  • Keys to be imported must be wrapped with the public wrapping key provided with each vault
  • Vault's wrapping key pair makes it possible for the HSM to unwrap and store the key securely

Exporting Keys or Key Version

  • You can export a software-protected MEK or key version if you want to use it to perform cryptographic operations in an app running on a client
  • Exporting a key requires you to generate your own RSA key pair to wrap and unwrap the key material
  • You can export the key or key version by using the CLI only
  • You can use the key locally and then discard the key from local memory to protect the key contents

OCI services integration with Vault

Backup and replicate Vaults and keys

  • Back up and keep the resources before deleting the vault or key
  • Only virtual private vaults are supported for backups
  • Only a MEK of HSM protection type can be part of backups
  • MEKs are always associated with a vault. This relationship persists even as the key is backed up and restored
  • Backups are kept in existing or new object storage buckets
  • You can only copy the backups to object storage buckets in another region
  • Backups are useful for disaster recovery scenarios
  • Back up exports identifying information about the vault or key
  • Vault service encrypts the backups, and only the service can restore them
  • Backups can optionally include keys(assuming the vault has keys in a supported lifecycle state when you perform the backup)
  • You can back up only one vault or one key at a time
  • Backup operations require you to specify where to download the backup

Cross-Region Replication

  • Cross-region replication helps in disaster recovery scenarios
  • Only virtual private vaults are supported for replication
  • When replication is configured, Vault service automatically synchronizes the creation, deletion, update, or moving of any keys between the source and replica vaults
  • Only one destination vault can exist for a given source vault at any time
  • You cannot create keys directly in the vault replica nor back up a vault replica
  • You can support cryptographic operations against the vault replica and keys
  • You can delete the vault replica to stop replication

Vault Secrets

  • You can store other information like public keys or passwords as secrets in a vault
  • This is a more secure way to store and retrieve them. You can create secrets by using the console, CLI, or API.
  • Secrets can be rotated to reduce impact in case the secret is exposed or compromised

Secret Rules

  • Secret Reuse Rule. This type of rule prevents the reuse of secret contents across different versions of a secret.
  • Secret Expiry Rule. This type of rule restricts how long the secret contents of a particular secret version can remain in use. This rule can also block the retrieval of secret contents for a secret or secret version past the configured expiration date.