Create and manage vault keys and key versions.
For information specifically about creating vault keys with your own key material, see Importing Vault Keys and Key Versions. For information about assigning keys to protect supported resources, see Assigning Master Encryption Keys. For information about how you can use keys in cryptographic operations, see Using Master Encryption Keys. For information about backing up and restoring keys, see Backing Up and Restoring Vaults and Keys. For information about what you can do with vaults where you store keys, see Managing Vaults. For information about keys more generally, see Key and Secret Management Concepts.
Managing vault keys include the following configurations:
- Getting a vault's key details
- Create a key
- View key details
- View a list of keys
- View a list of key versions for a specific key
- Manage key tags
- Enable keys for use in vault cryptographic operations
- Rotate keys to generate vault cryptographic material
- Disable keys to prevent their usage in vault cryptographic operations
- Delete keys to permanently prevent their usage in vault cryptographic operations or assignment to resources
- Move a key to a new compartment
For enhanced control and visibility over your vault encryption keys, the External Key Management (EKM) feature in Vault enables you to manage your keys in a third-party key management system outside of Oracle cloud. EKM is only available in the US West (San Jose) region. To enable EKM in your tenancy, contact Oracle sales.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.
This section describes how to assign Vault keys and remove key assignments using Console, and API
Apply tags to your resources to help organize them according to your business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.
Moving Resources to a Different Compartment
This section describes how you can move Vault resources such as keys to different compartment
You can move keys from one compartment to another. After you move a key to a new compartment, inherent policies apply immediately and affect access to the key and key versions. Moving a key doesn't affect access to the vault that a key is associated with. Similarly, you can move a vault from one compartment to another independently of moving any of its keys. For more information, see Managing Compartments.