Exporting Vault Keys and Key Versions

Export a software-protected master encryption key or export key versions for performing vault cryptographic operations.

You can use the key locally, and then discard the key from local memory to protect the key contents. Using an exported key locally improves availability, reliability, and latency.

Required IAM Policy


Keys associated with volumes, buckets, file systems, clusters, and stream pools will not work unless you authorize Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming to use keys on your behalf. Additionally, you must also authorize users to delegate key usage to these services in the first place. For more information, see Let a user group delegate key usage in a compartment and Let Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools in Common Policies. Keys associated with databases will not work unless you authorize a dynamic group that includes all nodes in the DB system to manage keys in the tenancy. For more information, see Required IAM Policy in Exadata Cloud Service

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Before You Begin

Exporting a key requires you to generate your own RSA key pair to wrap and unwrap the key material. You can use the third-party tool of your choice to generate the RSA key pair.

You can export the key or key version by using the CLI only. We've included example scripts that you can refer to. The scripts include all steps of the export process, from wrapping the key material to exporting the software-protected key or key version.

If you're using MacOS or Linux, you'll need to install the OpenSSL 1.1.1 series to run commands. If you plan to use the RSA encryption algorithm that uses a temporary AES key, then you must also patch OpenSSL with a patch that supports it, see Configuring OpenSSL Patch to Wrap Key Material. If you're using Windows, you'll need to install Git Bash for Windows and run commands with that tool.