Oracle is excited to announce the support of Asymmetric Keys in Oracle Cloud Infrastructure (OCI) Vault . Vault lets you to centrally manage and control your keys and secrets that protect your data. Vault is a secure and resilient managed service that lets you focus on your data encryption needs without requiring you to worry about time-consuming administrative tasks such as hardware provisioning, software patching and high-availability.
Until now, Vault supported only Symmetric keys but now you can now create, manage and use public and private key pairs to protect your data in Oracle Cloud Infrastructure (OCI). Similar to symmetric key features, asymmetric keys can be generated as Master Encryption Key (MEK) protected with hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. With HSM protection mode, the private portion of MEK can never exist outside of HSM in an un-encrypted format. However, the public portion can be downloaded and used outside the Vault service.
We provide you with almost the same experience and capabilities for Asymmetric keys similar to our current offerings that include support for Software protected keys, Bring Your own Key (BYOK), Rotation of Keys, Cross-region backup and restore and so on. As with any other features, operations on asymmetric keys are logged in OCI Audit log to help you meet your regulatory and compliance needs. Asymmetric keys are available in all OCI Commercial and Government regions.
What is Asymmetric Cryptography?
Asymmetric Cryptography, also known as Public-Key cryptography, uses two separate, yet mathematically connected cryptographic keys to encrypt and decrypt messages and protect them from unauthorized access or use. These keys are known as Public Key and Private Key (or Public and Private Key pair). For example, when the Public Key is used for encryption, the Private Key will be used for decryption. As implied in the name, Private Key is intended to be private so that only the authenticated recipient can decrypt the message.
With Asymmetric keys, Oracle supports both asymmetric encryption and digital signing (used to verify the authenticity of data) use cases. Asymmetric encryption is supported using RSA keys while digital signing is supported using RSA and Elliptical Curve (ECDSA) keys. For digital signature, we have introduced two new operations - signing and verification. A signing operation uses a private portion of MEK to produce digital signature over raw data while verification operation uses the public portion of MEK to validate the signature. Vault supports the following asymmetric key types –RSA 2048, RSA 3072, RSA 4096, ECDSA NIST P-256, ECDSA NIST P-384 and ECDSA NIST P-521.
The following table summarizes the use cases supported for both symmetric and asymmetric keys.
Management of Keys
Asymmetric Keys are available via the Console, API, and the CLI, so that you can manage them with just a few clicks or a Terraform script. The following are some details to manage Asymmetric Keys through the Oracle Cloud Infrastructure (OCI) console.
Creation of Asymmetric keys is done as part of the Create Key operation by simply selecting either RSA or ECDSA algorithm and their lengths. If you would like to bring your own asymmetric key material, you should first wrap the private portion of your key with Vault’s wrapping key and execute import as part of the Create key operation. You do not need to import the public portion as the Vault service will generate it based on the imported key material. You can also distinguish and filter your MEKs based on the newly added algorithm field in the Vault details page
The below image shows an example of Create Key and Vault details page
You have a choice on how to use the public portion of Asymmetric MEK. You can directly call the Vault APIs. Or, if your use case requires data encryption or signature validation outside of Vault service by users, then you can download the public key from the Key details page and by accessing the Key Version resources.
The below image shows an example of how to view and download the public keys
Usage of Keys
You can use the existing encrypt and decrypt cryptographic operations using the RSA keys to achieve asymmetric encryption. We support encryption using Optimal Advanced Encryption Padding (OAEP) padding scheme which is part of PKCS1v22 standard. The encryption operation is done using the public portion of the RSA keypair while the decryption operation is done using the private key.
The below commands are used to encrypt and decrypt data
For digital signing, customers can use RSA and ECDSA keys to sign a digital message using the private key to produce a signature. This signature can be later verified using the public key of the same key pair against the original message to determine the authenticity of the sender. Vault supports two signature schemes for RSA keys – PKCS1 and PSS – and one Signature Scheme for ECDSA keys – DSA – with different hashing algorithms.
The below commands are used to sign and verify the message
Your usage limits on Asymmetric keys are determined by the type of Vaults you create. You will continue to have 1000 keys as soft limit for Virtual Private Vault and 100 keys for the default vault types. Since Asymmetric keys consume twice the storage as that of Symmetric Keys you are allowed only a maximum of 500 MEKs (or Key versions) in a Virtual Private Vault, assuming all are asymmetric keys.
You can monitor your usage limits for HSM, and Software protected asymmetric keys via the Oracle Cloud Infrastructure (OCI) console as listed in the below image
For more details, please refer to our documentation.
Oracle Cloud Infrastructure aims to deliver competitive solutions at low cost. Asymmetric Keys, although requires additional crypto storage and processing, are priced same as that of Symmetric Keys in Oracle Vault. With HSM protected asymmetric keys, you are charged based on the type of Vault created but Software protected Asymmetric keys are provided at zero cost. You can learn more here.
In summary, you can now use OCI Vault with Asymmetric Keys to meet your public key encryption and digital signature use cases. Your experience and management of keys with Vault remain almost the same even with the introduction of Asymmetric Keys. You can read more about how the feature works in the technical documentation. But the best way to learn about it is to give it a try! You can access the Asymmetric Keys feature in the OCI Console through Security->Vault tab in the OCI navigation menu.