Managing Vaults

Create and manage vaults as logical containers for encrypting keys and secrets.

For information specifically about backing up and restoring vaults, see Backing Up and Restoring Vaults and Keys. For information about configuring cross-region replication for vaults and keys, see Replicating Vaults and Keys. For information about what you can do with keys, see Managing Keys. For information about what you can do with vault secrets, see Managing Vault Secrets.

The Vault service lets you create vaults in your tenancy as containers for encryption keys and secrets. If needed, a virtual private vault provides you with a dedicated partition in a hardware security module (HSM), offering a level of storage isolation for encryption keys that's effectively equivalent to a virtual independent HSM.

Vault key management includes the following configurations:

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

Open the navigation menu, click Identity & Security, and then click Vault."

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

Apply tags to your resources to help organize them according to your business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

Moving a Vault to a Different Compartment

You can move vaults from one compartment to another. After you move a vault to a new compartment, inherent policies apply immediately and affect access to the vault. Moving a vault doesn't affect access to any keys or secrets that the vault contains. You can move a key or secret from one compartment to another independently of moving the vault it's associated with.