Creating a Master Encryption Key
Learn how to create a master encryption key in OCI's Key Management service .
Note the following when creating master encryption keys:
-
Auto-rotation: When you create a master encryption key in a virtual private vault, you have the option of enabling automatic key rotation. See the Automatic Key Rotation section of the Key and Secret Management Concepts topic for complete details. See Enabling and Updating Auto Key Rotation for instructions on updating auto-rotation settings.
- Available algorithms: You can select from the following algorithms when creating a key:
- AES: Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.
- RSA: Rivest-Shamir-Adleman (RSA) keys are asymmetric keys, also known as key pairs that consists of a public key and a private key. You can use them to encrypt data in transit, to sign data, and to verify the integrity of signed data.
- ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) keys are asymmetric keys that you can use to sign data and to verify the integrity of signed data.
For more information on keys in OCI's Key Management service, see Keys in the the Key and Secret Management Concepts topic.
Use the oci kms management key create command and required parameters to create a master encryption key:
oci kms management key create --compartment-id <target_compartment_id> --display-name <key_name> --key-shape <key_encryption_information> --endpoint <control_plane_url> --is-auto-rotation-enabled <true | false> --auto-key-rotation-details <schedule_interval_information>
For example:
oci kms management key create --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --display-name key-1 --key-shape '{"algorithm":"AES","length":"16"}' --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com --is-auto-rotation-enabled enabled --auto-key-rotation-details '{"rotationIntervalInDays": 90, "timeOfScheduleStart": "2024-02-20T00:00:00Z"}'
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Use the CreateKey API with the Management Endpoint to create a new master encryption key.
Note
The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGMENT endpoint.
The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.
You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.
For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.