Managing External Keys
This section describes how to manage external keys on CCKM. Before proceeding, you must have an external vault added to the CCKM. Refer to Managing External Vaults for details.
Note
This section describes the operations specific to the external keys.
External keys do not support the enable key, disable key, schedule key deletion, move resource, and restore deleted keys operations.
All other operations that can be performed on external keys are similar to those for Oracle BYOK keys, as described in Managing Oracle Keys.
CCKM doesn't support FM-enabled Luna HSM as a key source.
Adding External Keys
To add an external key.
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click Add Key. The Key Material Origin screen of the Add Oracle Key wizard is displayed.
Key Material Origin
Select an external Vault from the drop-down list. The list shows available external and default vaults.
The Oracle Compartment field is unavailable (read-only) for external vaults.
Select Oracle External (HYOK) as the Origin Type.
Select CipherTrust (Local) as the Source. This is the only supported external key source.
Click Next. The Source Key screen is displayed.
Source Key
Select the Source Key Material. This specifies how to create the key. The options are:
Create New Key: Click to create a fresh key. Specify an Oracle Key Name.
Select Existing Key: Click to create a new key by selecting an existing key. Select an existing key from the Select a source key drop-down list.
Click Next. The Configure Oracle Key screen is displayed.
Configure Oracle Key
Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on the Oracle cloud. This name helps uniquely identify an external key.
Enter a Rego policy to be associated with the external key.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, Source Key, and HYOK KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the Source Key and HYOK KEY sections and update the details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the HYOK KEY section becomes Complete and the Oracle Key ID link is displayed, the key is created successfully.
Click Close. The Add Oracle Key wizard is closed.
The newly created key is displayed in the list of Oracle keys.
Viewing or Editing Details of External Keys
After a key is created, you can add tags to it, schedule their rotation, and view its versions.
In the edit view of a key, you can view all the key details such as its ID, compartment, vault, state, algorithm, and region etc.
To view or edit an external key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle. The list of available keys is displayed.
Click the overflow icon () corresponding to the desired key and click View/Edit Details. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
GENERAL INFO: View and update the key name and policy. Refer to Updating Key Name and Policy for details.
KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.
KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.
Updating Key Name and Policy
To update the key name and policy.
Edit Key Name.
Edit Policy.
Click Update.
Adding or Changing Key Rotation Schedule
To add or update a key rotation schedule:
Expand the KEY SCHEDULE section.
From the Select Rotation Schedule drop-down list, select the desired schedule.
Select the Key Origin as CipherTrust (Local).
Click Update.
The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.
Disabling Key Rotation Schedule
To disable a key rotation schedule:
Expand the KEY SCHEDULE section.
Next to the Select Rotation Schedule drop-down list, click the close icon ().
Auto key rotation is disabled.
Viewing Key Version Details
To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed.
Adding a Key Version
To add a new key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Add Version. The Add Version dialog box is displayed.
Select a Method, the options are Create New Key and Select Existing Key.
Click the desired tab to view the instructions.
Select Source as CipherTrust (Local).
Enter Key Name.
Select the desired Source Key from the drop-down list.
Note
It is not recommended to delete a source key that is being used for cryptographic operations.
Click Add Version.
Blocking Oracle Keys
You can block a key that belongs to external vaults. To block a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Block. The Block Key dialog box is displayed.
Click Block Key to confirm the action.
The key is blocked. The state of the external key changes to Blocked.
Unblocking Oracle Keys
You can unblock a blocked key that belongs to external vaults. To unblock a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the desired key.
Click Unblock. The Unblock Key dialog box is displayed.
Click Unblock Key to confirm the action.
The key is unblocked. The state of the external key changes to Unblocked.
Deleting External Keys
An external key (HYOK) resides on the CipherTrust Manager, it does not require a deletion schedule. The key can be deleted directly from the CipherTrust Manager.
Caution
Before deleting an external key, ensure that the key is not being referred to by the OCI KMS.
To delete an external key from the CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Oracle.
Click the overflow icon () corresponding to the key to be deleted.
Click Remove Key. The Remove Key dialog box is displayed.
Click Remove Key to confirm the action.
A message stating that the key is removed successfully is displayed.