Managing Key References

Manage key references for external keys created in third-party key management system.

When you create a key in the Thales CM, the system generates a key ID (GUID). You can use key ID and key details (key type and shape) to create a key reference in the OCI KMS. Once you create a key reference, KMS stores the key mapping details and not the actual key material.

When you temporarily restrict access to Thales CM either by disconnecting or disabling access to specific keys, it leads to a complete loss of key access on the OCI KMS side. The key state is retained until the access is restored. During this period, you cannot decrypt the ciphertext that is encrypted using the KMS key. Also, the ciphertext that are encrypted using a KMS key in the external key store becomes unrecoverable. OCI KMS cannot create, delete, or manage any keys in external key manager.

Creation of an Key reference in OCI does not create a key in the external key manager (Thales CTM). Similarly, deletion of a key reference in OCI does not delete the external key in Thales CTM. The key reference stores only the external key metadata located in Thales CM and OCI KMS uses the key reference for handling cryptographic operation requests.


Ensure the key is in “Active” state to perform AES encryption or decryption. Also, the External KMS functionality allows you to create only AES 256 bit key reference.