Oracle Cloud Infrastructure (OCI) has launched Cross-region Replication for Secrets, now generally available. This new feature enables customers to replicate secrets across up to three regions, supporting disaster recovery, high availability, and multi-region deployments.

By extending OCI Vault with seamless secret replication, cross-region replication strengthens cloud resilience and simplifies operations.

Why it matters

Secrets in Vault are region-bound by default. Customers previously had to build custom solutions to keep copies available in other regions, increasing risk and complexity. With cross-region replication, secrets can now be replicated automatically using the Console, API, CLI, SDK, or Terraform, helping to improve availability and performance close to where applications run.

Example:

  • The diagram below shows that a secret can be replicated to 3 sites
  • The replicated secrets are read-only
  • They can use a different vault from the source region
  • The key for each region is different.

 

 

Diagram shows that a secret from a source region can be replicated in read only mode in up to three regions

 

What’s included

Customers can now:

  • Replicate secrets in up to three regions
  • Maintain a consistent OCID and metadata across replicas
  • Assign unique vaults and keys per region

Secrets remain read-only in replica regions.

Use Cases

Cross-region replication supports:

  • Disaster recovery for critical credentials
  • Low-latency access in multi-region apps
  • Secure automation across dev, test, and prod
  • Simplified migration from legacy secret sync tools

Permissions Required to Configure Replication

To create a secret with replication enabled, ensure you or the resource principal has all the following permissions:

  • SECRET_CREATE, KEY_ENCRYPT, KEY_DECRYPT, VAULT_CREATE_SECRET (for using the CreateSecret API or creating secrets in the Console or other interfaces.
  • SECRET_REPLICATE_CONFIGURE
  • To update (or remove) a replication configuration, ensure you or the resource principal has all the following permissions:
  • SECRET_UPDATE (for using the UpdateSecret API or updating secrets in the Console or other interfaces).
  • SECRET_REPLICATE_CONFIGURE

Please review the documentation for the sample policy

Getting started in the Console

Secrets can be replicated during creation, or you can edit an existing secret

Replicating a secret at the time of creation is achieved by following these steps:

  1. Navigate to Secrets by following Security -> Vault -> Select a vault -> Secrets
  2. Select an action to create a secret
  3. Enable replication, and you can select up to three regions.
  4. Choose target vaults and keys for each region.
  5. Finalize other fields and create a secret.

To update the replication properties of an existing secret

  1. In your vault, go to Secrets and choose the secret you want to replicate.
  2. In the secret’s details page, find the Replication section and click Enable Replication.
  3. Choose up to 3 destination regions and select the vault keys for each replica,
  4. Confirm

The secret syncs automatically, and work requests tracking replication status are viewable in the console.

Automation support

Cross-region replication is fully supported via:

  • SDK and CLI options to define replicas and keys
  • Terraform.
  • API

Documentation and examples are available to accelerate onboarding.

Availability and pricing

Cross-region Replication is now available in all commercial OCI regions. Secrets in Vault is a free service, with no added cost for storage, API calls, or replication.

Summary

Cross-region Replication for Secrets helps customers meet high availability and disaster recovery goals with less complexity. It’s a scalable, no-cost solution for resilient secret management in global OCI environments.

To get started, visit the Console or explore the documentation.