Managing Oracle Keys

This section describes how to manage Oracle keys on CCKM. Before proceeding, you must have an Oracle vault added to the CCKM. Refer to Managing Oracle Vaults for details.

• Key Creation Methods and Sources

• Creating/Uploading New Key Material

• Cloning Existing Key Material

• Viewing Oracle Keys

• Viewing Key Versions

• Viewing or Editing Details of Oracle Keys

• Refreshing Oracle Keys

• Disabling an Oracle Key

• Enabling an Oracle Key

• Moving Keys to Another Compartment

• Adding a Key Version

• Scheduling Deletion of a Key

• Canceling Deletion of a Key

• Removing a Key Backup

• Restoring a Deleted Key

Key Creation Methods and Sources

Methods to create Oracle keys using CCKM are:

• Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key source can be:

  • CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to the Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  • Oracle (Native): A new key is directly created on Oracle cloud using a native Oracle application. The key origin is NATIVE.

  • Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  • Luna HSM: A new Luna HSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

    Note

    CCKM doesn't support FM-enabled Luna HSM as a key source.

• Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key source can be:

  • CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  • Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  • Luna HSM: An existing Luna HSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Oracle cloud to create a new Oracle key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  Note

  CCKM doesn't support FM-enabled Luna HSM as a key source.

Creating/Uploading New Key Material

To add an Oracle cloud key by creating/uploading new key material:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click Add Key. The Select Material Origin screen of the Add Oracle Key wizard is displayed.

4. Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:

   • CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.

   • Oracle (Native): Refer to Creating Oracle (Native) Key Material for details.

   • Luna HSM: Refer to Uploading Luna HSM Key Material for details.

   • Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.

   Refer to Key Creation Methods and Sources for details on key sources.

Uploading CipherTrust (Local) Key Material

Upload the local key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

1. Select CipherTrust (Local).

2. Click Next. The Configure CipherTrust Key screen is displayed.

Configure CipherTrust Key

1. Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Oracle cloud.

2. Select Key Type. The options are:

   • AES: Creates and uploads an AES key.

   • RSA: Creates and uploads an RSA key pair.

3. Select the Key Size based on the key type:

   • For an AES key, the options are 128, 192, and 256.

   • For an RSA key, the options are 2048, 3072, and 4096.

4. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Creating Oracle (Native) Key Material

Create the key material directly using a native Oracle application.

Select Material Origin > Select Source

1. Select Oracle (Native).

2. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Key Algorithm. The options are AES, RSA, and ECDSA.

5. Select the Key Size based on the key type:

   • For an AES key, the options are 16, 24, and 32.

   • For an RSA key, the options are 256, 384, and 512.

   • For an ECDSA key, the options are 256, 384, and 512.

6. View the Key Attributes. The options are:

   • Encrypt, Decrypt

   • Sign, Verify

   Note

   For AES keys, Encrypt and Decrypt are selected, for RSA keys, all are selected, for ECDSA keys, Sign and Verify are selected.

7. Select the Protection Mode. The options are Software and HSM.

8. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

9. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Uploading Vormetric DSM Key Material

Upload the local key material using the Vormetric DSM to configure the source key.

Select Material Origin > Select Source

1. Select Vormetric DSM.

2. Click Next. The Configure DSM Key screen is displayed.

Configure DSM Key

1. Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to SAP cloud.

2. (Optional) Provide a Description for the key.

3. Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.

4. Select Key Type. The options are:

   • AES: Creates and uploads an AES key.

   • RSA: Creates and uploads an RSA key pair.

5. Select the Key Size based on the key type:

   • For an AES key, select the Key Size. The options are 128 and 256.

   • For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.

6. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the DSM Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Uploading Luna HSM Key Material

Upload the local key material using the Luna HSM to configure the source key.

Select Material Origin > Select Source

1. Select Luna HSM.

2. Click Next. The Configure HSM Key screen is displayed. The drop-down list shows the HSM partitions linked with the configured Luna HSM connection.

Configure HSM Key

1. Select the Partition ID of the desired Luna HSM partition.

2. Enter an HSM Key Name. A new key with this name will be created on the Luna HSM and its key material will be uploaded to Oracle cloud.

3. Select Key Type. The options are AES and RSA. It creates and uploads an RSA key pair.

4. Select the Key Size based on the key type:

   • For an AES key, the options are 128, 192, and 256.

   • For an RSA key, the options are 2048, 3072, and 4096.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Select the Key Attributes. The options are:

   • Modifiable, Extractable, Sensitive (all three are selected for a BYOK Compatible key)

   • Encrypt, Decrypt, Wrap, Unwrap

   • Sign, Verify, Derive

7. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the HSM Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Cloning Existing Key Material

To add a new Oracle cloud key by cloning key material existing on the CipherTrust Manager, Vormetric DSM, or Luna HSM:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click Add Key. The Select Material Origin screen of the Add Oracle Key wizard is displayed.

4. Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following:

   • CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.

   • Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.

   • Luna HSM: Refer to Cloning Luna HSM Key Material for details.

   Refer to Key Creation Methods and Sources for details on these key sources.

Cloning CipherTrust (Local) Key Material

Clone and upload the local key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

1. Select CipherTrust (Local).

2. Click Next. The Select CipherTrust Key screen is displayed.

Select CipherTrust Key

1. Select Key Type. The options are:

   • AES: Creates and uploads an AES key.

   • RSA: Creates and uploads an RSA key pair.

2. Select the Key Size based on the key type:

   • For an AES key, select the Key Size. The options are 128, 192, and 256.

   • For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.

3. Select the desired key from the CipherTrust Key Name drop-down list. This field shows the available local CipherTrust Manager keys.

4. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the CipherTrust Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Cloning Vormetric Key Material

Clone and upload the local key material using the Vormetric DSM to configure the source key.

Select Material Origin > Select Source

1. Select Vormetric DSM.

2. Click Next. The Select DSM Key screen is displayed.

Select DSM Key

1. Select Key Type. The options are:

   • AES: Creates and uploads an AES key.

   • RSA: Creates and uploads an RSA key pair.

2. Select the Key Size based on the key type:

   • For an AES key, select the Key Size. The options are 128 and 256.

   • For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.

3. Select the desired key from the DSM Key Name drop-down list. This field shows the available DSM keys.

4. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the DSM Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Cloning Luna HSM Key Material

Clone and upload the local key material using the Luna HSM to configure the source key.

Select Material Origin > Select Source

1. Select Luna HSM.

2. Click Next. The Select HSM Key screen is displayed.

Select HSM Key

1. Select Key Type. The options are:

   • AES: Creates and uploads an AES key.

   • RSA: Creates and uploads an RSA key pair.

2. Select the Key Size based on the key type:

   • For an AES key, select the Key Size. The options are 128, 192, and 256.

   • For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.

3. Select the desired key from the HSM Key Name drop-down list. This field shows the available Luna HSM keys.

4. Click Next. The Configure Oracle Key screen is displayed.

Configure Oracle Key

1. Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the HSM Key Name you specified on the previous screen is populated.

2. Select the desired Oracle Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments added to the CCKM.

3. Select the desired Key Vault from the drop-down list. The drop-down list shows the list of Oracle vaults added to the CCKM.

4. Select the Protection Mode. The options are Software and HSM.

5. (Optional) Specify the tags.

   To add a new tag:

   1. Select a Tag Namespace. The options are:

      • Free Form: Allows adding free form tags.

      • Oracle Tags: Allows adding tags based on created on and created by.

   2. Specify a Tag Key.

   3. Specify a Tag Value.

   4. Click +.

   Similarly, add as many tags as required.

6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

1. Review the key details displayed on the screen.

   If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

2. Click Add Key.

   The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

   When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

3. Click Close. The Add Oracle Key wizard is closed.

The newly created key is displayed in the list of Oracle keys.

Viewing Oracle Keys

The Oracle Keys page shows the list of Oracle keys available on the CipherTrust Manager.

To view the Oracle keys:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed. The Oracle Keys page displays the following details:

   Field	Description
   Name	Unique, user-friendly name of the Oracle key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of Oracle Keys. This name is useful in searching for specific keys.
   Key ID	ID of the Oracle key.
   Tenant	OCI tenant in which the key is created.
   Compartment	Name of the OCI compartment where the key resides.
   Vault	Name of the OCI vault where the key resides.
   Protection Mode	Protection mode for the key - HSM or Software.
   Algorithm	Algorithm of the Oracle key. AES, RSA, and ECDSA algorithms with different keys sizes are supported.
   State	State of the Oracle key.
   Region	Region of the key.
   Version	Version of the key.
   Creation Date	Date and time when the Oracle key is created.
   Origin	Source of the key material used for the version. The origin can be: • CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud. Refer to Key Creation Methods and Sources for details.

The Region, Version, Creation Date, and Origin columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.

Viewing Key Versions

To view the versions of a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed.

3. Click the expand icon () corresponding to the desired key. The mini detail view shows the list of key versions with their details.

   Field	Description
   Version ID	ID of the key version.
   State	State of the key version. The state can be enabled or disabled.
   Origin	Source of the key material. The origin of the key can be: • CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
   Creation Date	Date and time when the Oracle key is created.

Alternatively, you can view the versions of a key in the details view of the key. Refer to Viewing Key Version Details for details.

Viewing or Editing Details of Oracle Keys

After a key is created, you can add tags to it, schedule their rotation, and view its versions.

In the edit view of a key, you can view all the key details such as its ID, compartment, vault, state, algorithm, and region etc.

To view or edit an Oracle key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed.

3. Click the overflow icon () corresponding to the desired key and click View/Edit Details. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:

   • GENERAL INFO: View the key ID and add tags. Refer to Adding/Removing Tags for details.

   • KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.

   • KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.

Adding/Removing Tags

To add tags to a key:

1. Expand the GENERAL INFO section, if needed.

2. Select a Tag Namespace. The options are:

   • Free Form: Allows adding free form tags.

   • Oracle Tags: Allows adding tags based on created on and created by.

3. Specify a Tag Key.

4. Specify a Tag Value.

5. Click +. Similarly, add as many tags as required.

6. Click Update.

The tag is added to the key.

To remove a tag:

1. Expand the GENERAL INFO section, if needed.

2. Click the close icon in the added tags.

3. Click Update.

Adding or Changing Key Rotation Schedule

To add or update a key rotation schedule:

1. Expand the KEY SCHEDULE section.

2. From the Select Rotation Schedule drop-down list, select the desired schedule.

3. Select the Key Origin. The options are:

   • CipherTrust

   • Native

   • Luna, also select the Luna HSM Partition.

   • DSM, also select the DSM Domain.

   For keys based on ECDSA algorithms, only Native is available as the key origin.

4. Click Update.

The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.

Disabling Key Rotation Schedule

To disable a key rotation schedule:

1. Expand the KEY SCHEDULE section.

2. Next to the Select Rotation Schedule drop-down list, click the close icon ().

Auto key rotation is disabled.

Viewing Key Version Details

To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed. Refer to Viewing Key Versions for details.

Refreshing Oracle Keys

Refreshing is the process of downloading keys created in Oracle vaults to CCKM. You can refresh individual keys or all keys from all Oracle vaults at once.

Refreshing All Keys

To refresh all keys:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle. The Oracle Keys tab is displayed. This tab displays the list of Oracle keys.

3. Click Refresh All. The This may take a while... message is displayed.

   Note

   Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.

4. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.

The refreshed keys are listed on the Cloud Keys > Oracle > Oracle Keys page.

Refreshing Individual Keys

To refresh individual keys and their versions:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle. The Oracle Keys page is displayed. This page displays the list of Oracle keys.

3. Click the overflow icon () corresponding to the desired key.

4. Click Refresh. The Refresh Key dialog box is displayed. The key and all its versions will be refreshed.

5. Click Refresh to confirm the action.

The key with its versions is refreshed successfully.

The refreshed key and its versions are listed on the Cloud Keys > Oracle > Oracle Keys page.

Disabling an Oracle Key

If required, you can disable an enabled key. A disabled key cannot operate on data. Disabling a key disables all versions of the key.

To disable a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Disable. The Disable Key dialog box is displayed.

5. Click Disable to confirm the action.

The state of the key changes to Disabling, finally to Disabled.

Enabling an Oracle Key

If required, you can enable a disabled key. Enabling a key enables all versions of the key.

To enable a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Enable. The Enable Key dialog box is displayed.

5. Click Enable to confirm the action.

The state of the key changes to Enabling, finally to Enabled.

Moving Keys to Another Compartment

If needed, you can move a key to another Oracle compartment.

To move a key to another compartment:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Move Resource. The Move Resource dialog box is displayed.

5. Select Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments linked with the added Oracle vaults.

6. Click Save.

The key is moved to the selected compartment.

Adding a Key Version

CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.

To add a new key version:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Add Version. The Add Version dialog box is displayed.

5. Select Method. The options are:

   • Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.

   • Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.

Adding Key Version by Creating New Key Material

1. Select Create/Upload New Key Material as the method.

2. Select Source. The options are:

   • CipherTrust (Local): Select this option and specify Key Name for the new key version.

   • Oracle (Native): Select this option to create a new native Oracle key.

   • Vormetric DSM: Select this option, specify Key Name for the new key version and select the DSM Domain.

   • Luna HSM: Select this option, select the Partition ID, Mechanism, and Key Attributes, and specify Key Name for the new key version.

     The key attributes Modifiable, Extractable, and Sensitive are selected for a BYOK Compatible key.

     Note

     CCKM doesn't support FM-enabled Luna HSM as a key source.

3. Click Add Version.

A new version is added to the key. The Version Count increases by one on the Oracle Keys page.

Adding Key Version by Cloning Existing Key Material

1. Select Clone Existing Key Material as the method.

2. Select Source. The options are:

   • CipherTrust (Local): Select this option and Select a key source for the new key version.

   • Vormetric DSM: Select this option and Select a key source for the new key version.

   • Luna HSM: Select this option and Select a key source for the new key version.

3. Select Source. The option is:

   • CipherTrust (Local): Select this option and Select a key source for the new key version.

4. Click Add Version.

A new version is added to the key. The Version Count increases by one on the Oracle Keys page.

Scheduling Deletion of a Key

With CCKM, you can schedule deletion of an Oracle key. The key is removed from Oracle at the specified time. Oracle enforces a waiting period of 7 to 30 days. After a key is deleted, it cannot be restored and the data encrypted with the key is unrecoverable. Before the waiting period ends, schedule key deletion can be cancelled.

To schedule the deletion of a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Schedule Key Deletion. The Schedule Key Deletion dialog box shows the name and ID of the key.

5. Select I wish to delete this key.

6. Specify the Waiting period (in Days). The default waiting period is 30 days.

7. Click Schedule Deletion.

A message stating that the key is scheduled for deletion is displayed. The key state changes to SCHEDULING_DELETION, then to PENDING_DELETION until the waiting period is over. After the waiting period is over, the key state becomes DELETED.

You can cancel the scheduled deletion of a key before the waiting period expires. Refer to Canceling Deletion of a Key for details.

Canceling Deletion of a Key

Before the waiting period ends, the scheduled deletion of a key with the state PENDING_DELETION can be cancelled.

To cancel the scheduled deletion of a key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key with the state PENDING_DELETION.

4. Click Cancel Key Deletion. The Cancel Key Deletion dialog box shows the name and ID of the key.

5. Select I wish to cancel key deletion.

6. Click Cancel Schedule Deletion.

A message stating that the key deletion is canceled is displayed. The key state changes to CANCELLING_DELETION, then to ENABLED.

Removing a Key

When an Oracle key is deleted from Oracle cloud, its status on the CipherTrust Manager becomes DELETED. You can remove such keys with their versions and backup from the CipherTrust Manager.

To remove an Oracle key from the CipherTrust Manager:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key with the state DELETED.

4. Click Remove Key. The Remove Key dialog box is displayed.

5. Click Remove Key to confirm the action.

A message stating that the key is removed successfully is displayed.

Removing a Key Backup

When the synchronization is initiated, Oracle cloud allows backup of keys that:

• Are stored in Virtual Private Vaults (VPVs)

• Are stored in vaults that have associated bucket credentials

• Have the HSM protection mode

When an Oracle key is deleted from Oracle cloud, its status on the CipherTrust Manager becomes DELETED. You can remove the backup of such keys from the CipherTrust Manager.

To remove the backup of an Oracle key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key with the state DELETED.

4. Click Remove Key Backup. The Remove Key Backup dialog box is displayed.

5. Click Remove Key Backup to confirm the action.

A message stating that the key backup is removed successfully is displayed.

Restoring a Deleted Key

Only the keys with backup on the CipherTrust Manager can be restored.

To restore a deleted key:

1. Open the Cloud Key Manager application.

2. In the left pane, click Cloud Keys > Oracle.

3. Click the overflow icon () corresponding to the desired key.

4. Click Restore Key. The Restore Key dialog box shows is displayed.

5. Click Restore to confirm the action.

A message stating that the key is restored successfully is displayed.