Import and Export Keys

In this article, we delve into the intricate process of importing and exporting keys within the OCI Vault.

Understanding Cryptographic and Management Endpoints

Before delving into key import and export, it’s crucial to grasp the significance of cryptographic and management endpoints within OCI Vault. As a public and regional service, OCI Vault furnishes users with two pivotal public endpoints: the cryptographic endpoint and the management endpoint, also known as the data plane URL and the control plane URL, respectively.

The cryptographic endpoint serves as a unique service endpoint tailored for cryptographic operations such as encryption, decryption, and key generation. On the other hand, the management endpoint facilitates management operations, including key creation, updates, listing, and deletion.

These endpoints are integral when executing commands through the Command Line Interface (CLI), ensuring seamless cryptographic and management operations within OCI Vault.

Leveraging Cryptographic Operations

The cryptographic endpoint serves as the conduit for executing cryptographic operations utilizing keys stored within OCI Vault. These operations encompass encrypting plaintext data, decrypting ciphertext, generating data encryption keys, and signing and verifying data.

For instance, utilizing the OCI CLI, one can execute an encryption operation by specifying the plaintext data, the key ID, and the cryptographic endpoint. This results in the generation of ciphertext data, demonstrating the seamless integration of cryptographic functionalities within OCI Vault.

Embracing Key Importation

OCI Vault empowers users to import their own keys, whether AES symmetric keys or RSA asymmetric keys, into the vault service. Once imported, these keys function akin to those generated by OCI Vault itself, facilitating cryptographic operations such as encryption and decryption.

Imported keys must be enveloped with a public wrapping key provided by OCI Vault. This wrapping key ensures the secure transportation and storage of keys within the vault, bolstering overall security measures against potential threats.

Streamlining Key Exportation

Similarly, OCI Vault facilitates the exportation of keys, enabling users to export software-protected master encryption keys or key versions for cryptographic operations in client applications. However, it’s imperative to note that only software-protected keys can be exported, as hardware security module (HSM)-protected keys remain confined within the HSM for enhanced security.

Exporting keys necessitates the generation of an RSA key pair for wrapping and unwrapping key material. While more involved than key importation, this process ensures the secure exportation of keys for external cryptographic operations.

Practical Demonstration

To illustrate the process of importing keys into OCI Vault, let’s navigate through the OCI Console. By accessing the Vault service and selecting the option to import an external key, users can seamlessly integrate their own keys into the vault, leveraging the provided public wrapping key for added security.

In conclusion, OCI Vault offers a robust framework for importing and exporting keys, empowering users to tailor cryptographic operations to their specific needs while upholding stringent security standards.

Previous
Key Rotation
Next
OCI Services Integration with Vault