Oracle Cloud Infrastructure (OCI) Vault is a fully managed key and secret management service that lets organizations control keys and secrets that protect their data. Vault is currently a region-specific service where keys and secrets are stored only in the OCI region where it is created. These keys and secrets are resilient to failures within the region and are backed by an availability Service Level Agreement (SLA) from Oracle.
We are excited to announce the general availability of the Cross Region Replication (CRR) feature for keys in OCI Vault service. Organizations now have the flexibility to replicate their keys to any OCI geographic region within a realm. CRR is a differentiating feature as the customer control the keys and the destination region for replication, unlike our competitors’ replication offerings.
In this release, CRR only supports Virtual Private Vault (single-tenant hardware security module) and only between any two regions - a Source and Destination region. Once CRR is enabled in the Source region, keys are automatically and asynchronously replicated to the Destination region. While both management and cryptographic operations can be conducted on keys in the Source region, only cryptographic operations are supported for replicated keys in the Destination region.
As with all other OCI features, OCI Vault CRR operations will be logged in OCI Audit log to enable customers to meet their compliance goals. CRR is available in all commercial and government OCI realms.
There are two main use cases for OCI Vault Cross Regional Replication:
- Compliance: In any OCI region, OCI Vault is architected to protect keys providing 99.9% availability SLA, but compliance goals may require keys to be replicated to geographically distributed regions.
- Application latency: An application may be deployed and used across multiple geographies that require access to keys close to the data it protects for better latency and user experience.
Replication of Keys
CRR is available via the Console, API, and the CLI so that the organization can manage them with just a few clicks or a Terraform script. Following are some details on how to manage CRR using the OCI Console.
As the default Virtual Private Vault limit per tenancy is zero, a request for an increase in limits on both the Source and Destination regions is required before using the cross-region replication feature. In addition, a policy must be created that allows the Vault service to carry out replication (copy of Vault and Keys) on the organization’s behalf in the destination region.
For example, the following policy gives permission to the service in all regions realm-wide:
To restrict permissions to specific compartments, specify the compartment instead.
Replication can be set-up only after the successful creation of a Virtual Private Vault in the Source region. In the Vault details page, click on “Replicate Vault” action and specify the Destination region where the replica should be created. The Destination region cannot be the same as the Source region. In addition, replication can be enabled only at Vault level which replicates both the Vault metadata and all its keys. Replication can be enabled on newly created, as well as already existing, Virtual Private Vaults.
The image below shows an example of enabling replication for Virtual Private Vault and its Keys.
Once the replication is initiated from a Vault, that Vault takes the replication role of “Source” and the status of Destination Vault can be viewed by clicking “View Replica Details”. Once inside the View Replica Details page, the “Replication State” reflects whether the Vault is successfully created on the Destination region, which is pre-requisite for keys to automatically replicate. Regarding keys, the Replication Status of keys can be viewed within each key details page by clicking on View Replica Details. The time taken to replicate keys from Source to Destination region is almost on par to the time it takes to create a key in the Source region.
The image below shows an example of viewing Replication status for Vault.
The image below shows an example of viewing Replication status for Keys.
The Vault and Keys in the Destination region will resemble exactly that of the Source region – including name and OCIDs. It’s intentionally created the same so that both the Source and Destination keys can be accessed seamlessly without any modification to the applications.
The below image shows an example of Vault details page in the Source region.
The image below shows an example of Vault details page in the Destination region.
The replication can be deleted only from the Source region by clicking on “Delete Replica” action within the “View Replica Details”. It will stop the replication as well as remove the Virtual Private Vault and its Keys on the Destination region. The replication can be re-enabled whenever needed as the keys are still intact in the Source region.
There is no additional charge to enable cross region replication. As always, there is a charge for the Virtual Private Vault in any region (source and destination) as per the pricing here.
In summary, OCI Vault can replicate keys between any two geographically distributed regions in an OCI realm. The experience and management of keys in Source region remain the same but only cryptographic operations are supported on the keys in Destination region. Read more about how the feature works in the technical documentation. But the best way to learn about it is to give it a try! Access the Asymmetric Keys feature in the OCI Console through Security->Vault tab in the OCI navigation menu.
This Video tutorial provides all the details you need to start using Cross Region Replication in OCI Vault service.