Managing Oracle Keys
This section describes how to manage Oracle keys on CCKM. Before proceeding, you must have an Oracle vault added to the CCKM. Refer to Managing Oracle Vaults for details.
Key Creation Methods and Sources
Key material for new OCI keys can be added by:
-
Creating and uploading a new source key, or by creating a new Oracle native key.
-
Copying key material from an existing source key to create a new key.
For adding OCI keys, CCKM supports the following key material sources:
-
External (BYOK): External (Bring Your Own Key). Add key material by creating or uploading new source key from an external source. Refer to Adding Key Material Using External (BYOK) Source for details. You can select CipherTrust Manager (External) or CipherTrust Manager (Local) as an external key source.
-
Oracle External (HYOK): External KMS (Hold Your Own Key). Add an HYOK key tied to key material stored in an external key vault. This option is available for external key vaults only. Adding Key Material Using Oracle External (HYOK) Source for details. You can select CipherTrust Manager (Local) as an external key source.
-
Oracle Native: Create Oracle key material directly with native Oracle application. Refer to Creating Native Key Material for details.
Adding Key Material Using External (BYOK) Source
To add key material using external BYOK as a key source:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click Add Key. The Key Material Origin screen of the Add Oracle Key wizard is displayed.
Key Material Origin
-
Select External (BYOK) as the Origin Type. This is the default option.
-
Select the desired Vault from the drop-down list. The list shows available external and default vaults.
-
Select an Oracle Compartment from the drop-down list. The list shows the available compartments based on the selected vault. This field is mandatory for default vaults, and is read-only for external vaults.
-
Select CipherTrust (Local) as the Source.
-
Click Next. The Configure CipherTrust (Local) Key screen is displayed.
Configure CipherTrust (Local) Key
-
Select the Source Key Material. This specifies how to create the key. The options are:
-
Create New Key: Click to create a fresh key.
-
Enter a Key Name.
-
Select the Key Type from the available options. The supported key types are AES and RSA.
-
Select the Key Size from the available options.
-
-
Copy Existing Key: Click to create a new key by copying an existing key. Select Key Type, Key Size*, and an existing key from the CipherTrust Key Name** drop-down list.
-
-
Click Next. The Configure Oracle Key screen is displayed.
Configure Oracle Key
-
Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the Key Name you specified on the previous screen is populated.
-
Select the Protection Mode. The options are Software and HSM.
-
(Optional) Specify the tags.
To add a new tag:
-
Select a Tag Namespace. The options are:
-
Free Form: Allows adding free form tags.
-
Oracle Tags: Allows adding tags based on created on and created by.
-
-
Specify a Tag Key.
-
Specify a Tag Value.
-
Click +.
Similarly, add as many tags as required.
-
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and BYOK KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the BYOK KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
-
Click Close. The Add Oracle Key wizard is closed.
The newly created key is displayed in the list of Oracle keys.
Adding Key Material Using Oracle External (HYOK) Source
To add key material using external Oracle HYOK as a key source:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click Add Key. The Key Material Origin screen of the Add Oracle Key wizard is displayed.
Key Material Origin
-
Select Oracle External (HYOK) as the Origin Type.
-
Select the desired external Vault from the drop-down list. The list shows available external and default vaults.
The Oracle Compartment field is unavailable (read-only) for external vaults.
-
Select CipherTrust (Local) as the Source.
-
Click Next. The Source Key screen is displayed.
Source Key
-
Select the Source Key Material. This specifies how to create the key. The options are:
-
Create New Key: Click to create a fresh key. Specify the Oracle Key Name for the new key.
-
Copy Existing Key: Click to create a new key by copying an existing key. Select a source key from the available options.
-
-
Click Next. The Configure Oracle Key screen is displayed.
Configure Oracle Key
-
Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key. By default, the Oracle Key Name you specified on the previous screen (if creating a new key) is populated.
-
Specify a Rego policy for the key.
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, HYOK KEY, and POLICY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and HYOK KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and HYOK KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
-
Click Close. The Add Oracle Key wizard is closed.
The newly created key is displayed in the list of Oracle keys.
Creating Native Key Material
To create Oracle key using the native Oracle application:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click Add Key. The Key Material Origin screen of the Add Oracle Key wizard is displayed.
Key Material Origin
-
Select Oracle Native as the Origin Type.
-
Select the desired Vault from the drop-down list. The list shows available external and default vaults.
-
Select an Oracle Compartment from the drop-down list. The list shows the available compartments based on the selected vault. This field is mandatory for default vaults, and is read-only for external vaults.
-
Click Next. The Configure Oracle Key screen is displayed.
Configure Oracle Key
-
Enter a unique, user-friendly alias as the Oracle Key Name. This will be the key name on Oracle cloud. This name helps uniquely identify an Oracle key.
-
Select the Key Algorithm. The options are AES, RSA, and ECDSA.
-
Select the Key Size based on the key type:
-
For an AES key, the options are 16, 24, and 32.
-
For an RSA key, the options are 256, 384, and 512.
-
For an ECDSA key, the options are 256, 384, and 512.
-
-
Select the Protection Mode. The options are Software and HSM.
-
(Optional) Specify the tags.
To add a new tag:
-
Select a Tag Namespace. The options are:
-
Free Form: Allows adding free form tags.
-
Oracle Tags: Allows adding tags based on created on and created by.
-
-
Specify a Tag Key.
-
Specify a Tag Value.
-
Click +.
Similarly, add as many tags as required.
-
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
-
Click Close. The Add Oracle Key wizard is closed.
The newly created key is displayed in the list of Oracle keys.
Viewing Oracle Keys
The Oracle Keys page shows the list of Oracle keys available on the CipherTrust Manager.
To view the Oracle keys:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed. The Oracle Keys page displays the following details:
Field Description Name Unique, user-friendly name of the Oracle key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of Oracle Keys. This name is useful in searching for specific keys. Key ID ID of the Oracle key. Tenancy Name of the Oracle tenancy. Compartment Name of the OCI compartment where the key resides. Vault Name of the OCI vault where the key resides. Protection Mode Protection mode for the key - HSM or Software. Algorithm Algorithm of the Oracle key. AES, RSA, and ECDSA algorithms with different keys sizes are supported. State State of the Oracle key. Region Region of the key. Version Version of the key. Creation Date Date and time when the Oracle key is created. Deletion Date Date and time when the Oracle key is deleted. Origin Source of the key material used for the version. The origin can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
Refer to Key Creation Methods and Sources for details.
The Region, Version, Creation Date, and Origin columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Viewing Key Versions
To view the versions of a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed.
-
Click the expand icon () corresponding to the desired key. The mini detail view shows the list of key versions with their details.
Field Description Version ID ID of the key version. State State of the key version. The state can be enabled or disabled. Origin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.Creation Date Date and time when the Oracle key is created.
Alternatively, you can view the versions of a key in the details view of the key. Refer to Viewing Key Version Details for details.
Viewing or Editing Details of Oracle Keys
After a key is created, you can add tags to it, schedule their rotation, and view its versions.
In the edit view of a key, you can view all the key details such as its ID, compartment, vault, state, algorithm, and region etc.
To view or edit an Oracle key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle. The list of available Oracle keys is displayed.
-
Click the overflow icon () corresponding to the desired key and click View/Edit Details. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
-
GENERAL INFO: View the key ID and add tags. Refer to Adding/Removing Tags for details.
-
KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.
-
KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.
-
Adding/Removing Tags
To add tags to a key:
-
Expand the GENERAL INFO section, if needed.
-
Select a Tag Namespace. The options are:
-
Free Form: Allows adding free form tags.
-
Oracle Tags: Allows adding tags based on created on and created by.
-
-
Specify a Tag Key.
-
Specify a Tag Value.
-
Click +. Similarly, add as many tags as required.
-
Click Update.
The tag is added to the key.
To remove a tag:
-
Expand the GENERAL INFO section, if needed.
-
Click the close icon in the added tags.
-
Click Update.
Adding or Changing Key Rotation Schedule
To add or update a key rotation schedule:
-
Expand the KEY SCHEDULE section.
-
From the Select Rotation Schedule drop-down list, select the desired schedule.
-
Select the Key Origin. The options are:
-
CipherTrust (Local)
-
CipherTrust (External), also Select Domain of the CipherTrust Manager.
-
Native
For keys based on ECDSA algorithms, only Native is available as the key origin.
-
-
Click Update.
The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.
Disabling Key Rotation Schedule
To disable a key rotation schedule:
-
Expand the KEY SCHEDULE section.
-
Next to the Select Rotation Schedule drop-down list, click the close icon ().
Auto key rotation is disabled.
Viewing Key Version Details
To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed. Refer to Viewing Key Versions for details.
Refreshing Oracle Keys
Refreshing is the process of downloading keys created in Oracle vaults to CCKM. You can refresh individual keys or all keys from all Oracle vaults at once.
Refreshing All Keys
To refresh all keys:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle. The Oracle Keys tab is displayed. This tab displays the list of Oracle keys.
-
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
-
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Oracle > Oracle Keys page.
Refreshing Individual Keys
To refresh individual keys and their versions:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle. The Oracle Keys page is displayed. This page displays the list of Oracle keys.
-
Click the overflow icon () corresponding to the desired key.
-
Click Refresh. The Refresh Key dialog box is displayed. The key and all its versions will be refreshed.
-
Click Refresh to confirm the action.
The key with its versions is refreshed successfully.
The refreshed key and its versions are listed on the Cloud Keys > Oracle > Oracle Keys page.
Disabling an Oracle Key
This section is applicable to Oracle BYOK keys.
If required, you can disable an enabled key. A disabled key cannot operate on data. Disabling a key disables all versions of the key.
To disable a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Disable. The Disable Key dialog box is displayed.
-
Click Disable to confirm the action.
The state of the key changes to Disabling, finally to Disabled.
Enabling an Oracle Key
This section is applicable to Oracle BYOK keys.
If required, you can enable a disabled key. Enabling a key enables all versions of the key.
To enable a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Enable. The Enable Key dialog box is displayed.
-
Click Enable to confirm the action.
The state of the key changes to Enabling, finally to Enabled.
Moving Keys to Another Compartment
This section is applicable to Oracle BYOK keys.
If needed, you can move a key to another Oracle compartment.
To move a key to another compartment:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Move Resource. The Move Resource dialog box is displayed.
-
Select Compartment from the drop-down list. The drop-down list shows the list of Oracle compartments linked with the added Oracle vaults.
-
Click Save.
The key is moved to the selected compartment.
Adding a Key Version
CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.
To add a new key version:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Add Version. The Add Version dialog box is displayed.
-
Select Method. The options are:
-
Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
-
Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
-
Adding Key Version by Creating New Key Material
-
Select Create/Upload New Key Material as the method.
-
Select Source. The options are:
-
CipherTrust (External): Select this option and specify Key Name for the new key version.
-
CipherTrust (Local): Select this option and specify Key Name for the new key version.
-
Oracle (Native): Select this option to create a new native Oracle key.
-
-
Click Add Version.
A new version is added to the key. The Version Count increases by one on the Oracle Keys page.
Adding Key Version by Cloning Existing Key Material
-
Select Clone Existing Key Material as the method.
-
Select Source. The options are:
-
CipherTrust (External): Select this option and Select a source key for the new key version.
-
CipherTrust (Local): Select this option and Select a key source for the new key version.
-
-
Click Add Version.
A new version is added to the key. The Version Count increases by one on the Oracle Keys page.
Scheduling Deletion of a Key
This section is applicable to Oracle BYOK keys.
With CCKM, you can schedule deletion of an Oracle BYOK key. The key is removed from Oracle at the specified time. Oracle enforces a waiting period of 7 to 30 days. After a key is deleted, it cannot be restored and the data encrypted with the key is unrecoverable. Before the waiting period ends, schedule key deletion can be cancelled.
Note
An external key (HYOK) resides on the CipherTrust Manager, it does not require a deletion schedule. The key can be deleted directly from the CipherTrust Manager. Refer to Deleting External Keys.
To schedule the deletion of a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Schedule Key Deletion. The Schedule Key Deletion dialog box shows the name and ID of the key.
-
Select I wish to delete this key.
-
Specify the Waiting period (in Days). The default waiting period is 30 days.
-
Click Schedule Deletion.
A message stating that the key is scheduled for deletion is displayed. The key state changes to SCHEDULING_DELETION, then to PENDING_DELETION until the waiting period is over. After the waiting period is over, the key state becomes DELETED.
You can cancel the scheduled deletion of a key before the waiting period expires. Refer to Canceling Deletion of a Key for details.
Canceling Deletion of a Key
This section is applicable to Oracle BYOK keys.
Before the waiting period ends, the scheduled deletion of a key with the state PENDING_DELETION can be cancelled.
To cancel the scheduled deletion of a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key with the state PENDING_DELETION.
-
Click Cancel Key Deletion. The Cancel Key Deletion dialog box shows the name and ID of the key.
-
Select I wish to cancel key deletion.
-
Click Cancel Schedule Deletion.
A message stating that the key deletion is canceled is displayed. The key state changes to CANCELLING_DELETION, then to ENABLED.
Removing a Key
When an Oracle key is deleted from Oracle cloud, its status on the CipherTrust Manager becomes DELETED. You can remove such keys with their versions and backup from the CipherTrust Manager.
Note
An external key (HYOK) resides on the CipherTrust Manager, it does not require a deletion schedule. The key can be deleted directly from the CipherTrust Manager. Refer to Deleting External Keys.
To remove an Oracle key from the CipherTrust Manager:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key with the state DELETED.
-
Click Remove Key. The Remove Key dialog box is displayed.
-
Click Remove Key to confirm the action.
A message stating that the key is removed successfully is displayed.
Removing a Key Backup
This section is applicable to Oracle BYOK keys.
When the synchronization is initiated, Oracle cloud allows backup of keys that:
-
Are stored in Virtual Private Vaults (VPVs)
-
Are stored in vaults that have associated bucket credentials
-
Have the HSM protection mode
When an Oracle key is deleted from Oracle cloud, its status on the CipherTrust Manager becomes DELETED. You can remove the backup of such keys from the CipherTrust Manager.
To remove the backup of an Oracle key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key with the state DELETED.
-
Click Remove Key Backup. The Remove Key Backup dialog box is displayed.
-
Click Remove Key Backup to confirm the action.
A message stating that the key backup is removed successfully is displayed.
Restoring a Deleted Key
This section is applicable to Oracle BYOK keys.
Only the keys with backup on the CipherTrust Manager can be restored.
To restore a deleted key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > Oracle.
-
Click the overflow icon () corresponding to the desired key.
-
Click Restore Key. The Restore Key dialog box shows is displayed.
-
Click Restore to confirm the action.
A message stating that the key is restored successfully is displayed.