In the cloud-first world, integrating the vast web of services used to run modern infrastructures poses some unique challenges. Secret tokens, such as passwords and API keys, are essential to the secure operation of our customer's services. These secrets must be used regularly, and at scale, but must also be protected from misuse. As a result, managing encryption and secrets can be incredibly complex, and a single misstep can compromise sensitive data.
Oracle Cloud Infrastructure Vault is our answer to this problem. Available today, in all Commercial regions, Vault lets you store, manage, and audit arbitrary secret types in Oracle Cloud Infrastructure. This new secrets management complements the existing key management in Oracle Cloud Infrastructure Vault. These are used by our customers and cloud tenants to manage symmetric storage encryption keys at scale.
We're expanding our Vault service beyond symmetric encryption keys backed by Hardware Security Modules (HSMs) to include arbitrary secrets. Secrets can include passwords, API tokens, and more. These secrets are stored in a vault, which is a software container backed by a FIPS 140-2 Level 3 HSM. The Vault service adheres to Oracle Cloud Infrastructure standards of high availability and resiliency to make your most critical data available when you need it.
The following image shows is an example of a vault with secrets in it.
Auditing is critical. You need to know exactly how your secrets are being used, where, by whom, and when. Everything in Oracle Cloud Infrastructure is an API call, even our backend services. This means that everything run in Oracle Cloud Infrastructure, including all actions against vaults, is audited and logged by our Audit service and made available for reporting. Audit integrates with our Events and Functions services, which can also be used to initiate custom actions based on event triggers.
Another consideration is compliance, which drives controls for deleting secrets, versioning secrets, and using policy-driven secrets. When a user rotates a secret, the secret is versioned, and the new secret is stored alongside the old one. You can then write rules against the versions of secrets. You can write a policy to expire a secret version by a specified date, or to restrict the use of previous versions of secrets.
The following image shows specifying rules when creating a secret.
Automation is central to scaling secrets management. To that end, Oracle Cloud Infrastructure Vault supports programmatic secrets management and rotation. The service is available via the Console, API, and the CLI, which mean that you can manage secrets with anything from a mouse click to a Terraform script. Any secret data can be stored in Vault and programmatically managed by using the API. You can also manage your on-premises secrets with the service, and integrate your existing secrets management infrastructure.
For more information about secrets functionality, see the A-Team blog post.
Effective secrets management is a critical component of modern cloud infrastructure. The complexity and the stakes are high. We want all Oracle Cloud Infrastructure customers to use this automated and scalable capability for secrets management, so we're releasing this service for free. All tenancies have access to and can store secrets in Oracle Cloud Infrastructure Vault at no cost.
You can read more about how the service works in the technical documentation. But the best way to learn about it is to give it a try! You can find Oracle Cloud Infrastructure Vault in the Console by accessing Security in the navigation menu.
Sign up for a Free Tier account, and take a look for yourself.