Oracle Cloud Infrastructure Documentation

Creating Key References

Create key references for external keys residing in Thales (CM)

To create a key reference, you will need the following details:
  • The key ID (generated on CipherTrust Cloud Key Manager)
  • Key algorithm (AES)
  • Key length
    1. Open the Oracle Cloud Console navigation menu and click Identity & Security. Under Key Management and Secret Management, click External Key Management.
    2. In the External key Management home page, select a vault from the summary table.
    3. In the Vault Details page, click Key Reference
    4. In the Create Key Reference page, provide the following details:
      • Name. Enter a name for the key reference
      • Create in Compartment. Choose a compartment for the key reference.
      • Key Shape: Algorithm. Choose a key encryption algorithm. By default, KMS supports only AES.
      • Key Shape: Length. The AES key can be of three different key lengths (16, 24, 32 bytes).
      • External Key ID. Enter the external key ID (GUID) generated by Thales CipherTrust Manager for the external key.
    5. Click Create.

      Once you create a key reference, the OCI KMS stores the mapping of Key references (and not the actual key material) with GUIDs of keys. The actual key material is always retained in the Thales CipherTrust Manager (external key management).

  • Open a command prompt and run oci kms management key create to create a new key reference:

    oci kms management key create --external-key-reference

    Avoid entering confidential information.

    For a complete list of flags and variable options for Vault CLI commands, see Command Line Reference.

  • Run the CreateKey operation to create a key reference for the external key created in Thales CM.

    Note

    Each region has a unique endpoint for create, update, and list operations for secrets. This endpoint is referred to as the control plane URL or secret management endpoint. Each region also has a unique endpoint for operations related to retrieving secret contents. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.