When it comes to data security, control over your encryption keys is paramount. Oracle Cloud Infrastructure (OCI) Dedicated Key Management Service (KMS) gives you ownership of your cryptographic keys and the hardware security module (HSM) partitions that store them within OCI.
Dedicated KMS is a fully managed, highly available, and single-tenant HSM partition.
This service provides you with exclusive access to and control over dedicated partitions within a physical, tamper resistant HSM device, helping ensure the isolation and protection of your encryption keys. You cryptographically claim your dedicated HSM partitions to gain full control over key generation, storage, and usage. These partitions are FIPS 140-2 Level 3 certified, offering greater level of security for key management.
You use industry-standard interfaces like PKCS#11 to perform cryptographic operations, which are end-to-end encrypted from your applications to the HSM without the need for OCI APIs or modules. By default, Dedicated KMS provides three HSM partitions in each OCI region, which are synchronized automatically and highly available with 99.9% service level agreements (SLAs). You can easily add or remove HSM partitions in increments of three to meet your evolving security needs.
For clarity, we have defined the following relevant terms:
Dedicated KMS provides the following benefits:
To enable your applications to interact with keys within the Dedicated KMS offering, the applications must use standard interfaces, such as PKCS#11. For example, you can run PKI applications on OCI Compute instances and create Certificate Authority private keys within the HSM for signing and verifying identities in the digital world.
Dedicated KMS is not natively integrated to OCI services. So, OCI services related to database, storage, and Fusion Applications must continue to use the OCI Vault offering from KMS.
Though both offer single tenant HSM partitions, the key difference between Private Vault and Dedicated KMS is the level of control you have over the HSM partitions.
Private Vault offers the following features:
Dedicated KMS offers the following features:
To unlock Dedicated KMS in OCI, begin by requesting a limit increase for its HSM cluster resource because it’s initially set to zero. This service features a hierarchical structure with the HSM cluster acting as the parent resource, housing three HSM partitions within. If you need more partitions, create more clusters because you can’t expand partitions within a cluster. Ensure that you have appropriate Identity and Access Management (IAM) policies set to create HSM Cluster.
In the Oracle Cloud Console, initiate the process to create HSM cluster by navigating to Key Management and Secret Management and selecting Dedicated key management. Be prepared to assist during the multistep cluster activation process, which involves user intervention at the following states:
Now, all your HSM partitions are in the Active state with you having full control to manage and use them for your crypto operations. For details about using Dedicated KMS for your applications, refer to the documentation.
OCI Dedicated KMS is priced at a rate of $1.75 USD per HSM partition per hour. With a minimum of three HSM partitions, the starting cost is $5.25 USD per hour.
You must explicitly request a limit for creating HSM partitions. These limits are regional, and you can request limit changes based on your business needs. By default, you get three HSM partitions and you can create a maximum of 3,000 key versions in these partitions.
OCI KMS offers a variety of encryption offerings to meet the needs of a wide range of customers. You can choose the right offering based on your organization’s specific security and compliance requirements. Dedicated KMS provides you with a single tenant HSM partition as a managed service letting you control both the keys and the HSM partitions that stores your keys. Read more about how the feature works in the technical documentation. But the best way to learn about it is to give it a try! Visit our website to learn more about Oracle Cloud Infrastructure Security products and sign up for a Free Tier account and to take a closer look.
For more information, see the following resources:
I am the Product Manager for OCI Key Management service and OCI Secret Management service.