OCI Dedicated KMS: Owning your keys and HSM partitions in the cloud

When it comes to data security, control over your encryption keys is paramount. Oracle Cloud Infrastructure (OCI) Dedicated Key Management Service (KMS) gives you ownership of your cryptographic keys and the hardware security module (HSM) partitions that store them within OCI. 

What is OCI Dedicated KMS?

Dedicated KMS is a fully managed, highly available, and single-tenant HSM partition.

This service provides you with exclusive access to and control over dedicated partitions within a physical, tamper resistant HSM device, helping ensure the isolation and protection of your encryption keys. You cryptographically claim your dedicated HSM partitions to gain full control over key generation, storage, and usage. These partitions are FIPS 140-2 Level 3 certified, offering greater level of security for key management.

You use industry-standard interfaces like PKCS#11 to perform cryptographic operations, which are end-to-end encrypted from your applications to the HSM without the need for OCI APIs or modules. By default, Dedicated KMS provides three HSM partitions in each OCI region, which are synchronized automatically and highly available with 99.9% service level agreements (SLAs). You can easily add or remove HSM partitions in increments of three to meet your evolving security needs.

For clarity, we have defined the following relevant terms:

• Tenancy: Your cloud account within OCI
• OCI Dedicated KMS: The managed service providing dedicated HSM partitions
• HSM cluster: An OCI resource containing three HSM partitions
• HSM partition (Dedicated): A single-tenant secure cryptographic enclave within the HSM, fully isolated for your keys
• Applications: Your services or processes running in OCI compute instances interacting with OCI Dedicated KMS for key management

Key benefits of OCI Dedicated KMS

Dedicated KMS provides the following benefits:

• Enhanced control and visibility:
  • Granular management of HSM partitions: Dedicated KMS empowers you to create, configure, and manage your own HSM partitions.
  • Direct access and auditability: You have unfettered access to the HSM partitions, enabling you to conduct thorough audits and track key usage meticulously.
  • Customizable security policies: Establish granular control over user access, key lifecycles, and cryptographic operations within the HSM environment, helping to ensure you adhere to your unique security policies and best practices.
• Specialized applications and workflows:
  • Direct HSM interaction for low latency: Applications that require high-performance cryptographic operations can directly interface with the HSM through standard interfaces, such as PKCS#11, a widely adopted industry standard for cryptographic operations, facilitating seamless integration and interoperability, minimizing latency and optimizing performance.
  • Public key infrastructure (PKI) deployments: Dedicated KMS offers the flexibility to create and manage custom PKI infrastructures within the HSM, catering to specific organizational needs and security standards.
• Seamless integration with standard interfaces: PKCS#11 for direct application access.

Supported OCI services

To enable your applications to interact with keys within the Dedicated KMS offering, the applications must use standard interfaces, such as PKCS#11. For example, you can run PKI applications on OCI Compute instances and create Certificate Authority private keys within the HSM for signing and verifying identities in the digital world.

Dedicated KMS is not natively integrated to OCI services. So, OCI services related to database, storage, and Fusion Applications must continue to use the OCI Vault offering from KMS.

Dedicated KMS versus Private Vault

Though both offer single tenant HSM partitions, the key difference between Private Vault and Dedicated KMS is the level of control you have over the HSM partitions.

Private Vault offers the following features:

• Oracle manages and administers the HSM partition.
• Your control extends to the keys within these partitions, allowing you to create, manage, and use them securely.
• You interact with HSMs through OCI KMS APIs for cryptographic operations.

Dedicated KMS offers the following features:

• You gain even greater control, managing not only the keys, but also the HSM partitions and admin users directly.
• This heightened control provides deeper visibility into your operations and enables you to tailor the HSM environment to your specific needs.
• Oracle still handles essential maintenance tasks, such as bringing HSMs online and applying patches, ensuring their ongoing operations.
• You employ standard interfaces, such as PKCS#11, to interact with the HSMs directly, bypassing OCI APIs for more streamlined and efficient cryptographic operations.

User experience

To unlock Dedicated KMS in OCI, begin by requesting a limit increase for its HSM cluster resource because it’s initially set to zero. This service features a hierarchical structure with the HSM cluster acting as the parent resource, housing three HSM partitions within. If you need more partitions, create more clusters because you can’t expand partitions within a cluster. Ensure that you have appropriate Identity and Access Management (IAM) policies set to create HSM Cluster.

In the Oracle Cloud Console, initiate the process to create HSM cluster by navigating to Key Management and Secret Management and selecting Dedicated key management. Be prepared to assist during the multistep cluster activation process, which involves user intervention at the following states:

• Initialization required: Claiming the ownership of HSM partitions by downloading the HSM certificate signing requests (CSRs) and uploading the self-signed CSR.
• Activation required: Changing the credentials of the Precrypto Officer (PRECO) in the HSM partitions after installing the client utilities in your OCI Compute instances. PRECO is a temporary and less privileged user that exists on the HSM partitions that has never been activated. This PRECO password must be modified so that you gain full control as the Crypto Officer (CO) of the HSM partitions. 

Now, all your HSM partitions are in the Active state with you having full control to manage and use them for your crypto operations. For details about using Dedicated KMS for your applications, refer to the documentation.

Pricing and limits

OCI Dedicated KMS is priced at a rate of $1.75 USD per HSM partition per hour. With a minimum of three HSM partitions, the starting cost is $5.25 USD per hour.

You must explicitly request a limit for creating HSM partitions. These limits are regional, and you can request limit changes based on your business needs. By default, you get three HSM partitions and you can create a maximum of 3,000 key versions in these partitions.

Next steps

OCI KMS offers a variety of encryption offerings to meet the needs of a wide range of customers. You can choose the right offering based on your organization’s specific security and compliance requirements. Dedicated KMS provides you with a single tenant HSM partition as a managed service letting you control both the keys and the HSM partitions that stores your keys. Read more about how the feature works in the technical documentation. But the best way to learn about it is to give it a try! Visit our website to learn more about Oracle Cloud Infrastructure Security products and sign up for a Free Tier account and to take a closer look.

For more information, see the following resources:

• OCI Key Management
• OCI Key Management portfolio
• OCI Key Management FAQ