Creating a Master Encryption Key

Create a vault master encryption key.

• Console
• CLI
• API

• 1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List scope, select a compartment that contains the vault.
  3. Click the name of the vault where in which you want to create the key.

     If you need to create a new vault for the key, follow the instructions in the Create Vault, and then click the name of the vault.

  4. Under resources, click Master Encryption Keys, and then click Create Key.
  5. Click Master Encryption Keys, and then click Create Key. Keys can also exist is a different compartment then the vault.
  6. For Protection Mode, select one of the following options:
     • To create a master encryption key that is stored and processed on a hardware security module (HSM), choose HSM.
     • To create a master encryption key that is stored and processed on a server, choose Software.

     You cannot change a key's protection mode after you create it. For more information about keys, including information about key protection modes, see Key and Secret Management Concepts.

  7. Enter a name to identify the key. Avoid entering confidential information.
  8. For Key Shape: Algorithm, select from one of the following algorithms:
     • AES. Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.
     • RSA. Rivest-Shamir-Adleman (RSA) keys are asymmetric keys, also known as key pairs that consists of a public key and a private key. You can use them to encrypt data in transit, to sign data, and to verify the integrity of signed data.
     • ECDSA. Elliptic curve cryptography digital signature algorithm (ECDSA) keys are asymmetric keys that you can use to sign data and to verify the integrity of signed data.
  9. If you selected AES or RSA, select the corresponding key shape length in bits.
  10. If you selected ECDSA, select a value for Key Shape: Elliptic Curve ID.
  11. To create a key by importing a publicly wrapped key, select Import External Key check box and provide the following details:
      • Wrapping Key Information. This section is read-only, but you can view the public wrapping key details.
      • Wrapping Algorithm. Select RSA_OAEP_AES_SHA256 (RSA-OAEP with a SHA-256 with a temporary AES key).
      • External Key Data Source. Upload the file that contains the wrapped RSA key material.
  12. Optionally, to apply tags, click Show advanced options.
      If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  13. click Create Key.

• Open a command prompt and run oci kms management key create to create a new key:

  oci kms management key create --compartment-id <target_compartment_id> --display-name <key_name> --key-shape <key_encryption_information> --endpoint <control_plane_url>

  For example, on a MacOS or Linux machine:

  
  oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{"algorithm":"AES","length":"16"}' --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

  Or, for example, on a Windows machine:

  
  oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{\"algorithm\":\"AES\",\"length\":\"16\"}' --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

  Avoid entering confidential information.

  By default, the service creates a master encryption key protected by an HSM. If you prefer to create a master encryption key protected by software, specify the protection mode with --protection-mode. For example, on a Windows machine:

  
  oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{\"algorithm\":\"AES\",\"length\":\"16\"}' --protection-mode SOFTWARE --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

  For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

• Run the CreateKey operation to create a new vault master encryption key.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.