Managing Keys

Create and manage vault keys and key versions.

 For information specifically about creating vault keys with your own key material, see Importing Vault Keys and Key Versions. For information about assigning keys to protect supported resources, see Assigning Master Encryption Keys. For information about how you can use keys in cryptographic operations, see Using Master Encryption Keys. For information about backing up and restoring keys, see Backing Up and Restoring Vaults and Keys. For information about what you can do with vaults where you store keys, see Managing Vaults. For information about keys more generally, see Key and Secret Management Concepts.

Managing vault keys include the following configurations:


For enhanced control and visibility over your vault encryption keys, the External Key Management (EKM) feature in Vault enables you to manage your keys in a third-party key management system outside of Oracle cloud. EKM is only available in the US West (San Jose) region. To enable EKM in your tenancy, contact Oracle sales.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

This section describes how to assign Vault keys and remove key assignments using Console, and API

Apply tags to your resources to help organize them according to your business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

Monitoring Resources

This section describes how to monitor your Vault resources.

You can monitor your vault resources.

Moving Resources to a Different Compartment

This section describes how you can move Vault resources such as keys to different compartment

You can move keys from one compartment to another. After you move a key to a new compartment, inherent policies apply immediately and affect access to the key and key versions. Moving a key doesn't affect access to the vault that a key is associated with. Similarly, you can move a vault from one compartment to another independently of moving any of its keys. For more information, see Managing Compartments.