Announcing the External Key Management service in Oracle Cloud Infrastructure

The Oracle Cloud Infrastructure (OCI) Vault service stores and manages encryption keys used to protect your data in OCI. Today, you can use OCI External Key Management Service (KMS) to encrypt data in OCI using encryption keys that are managed in a third-party key management system, hosted outside OCI. Customers who have regulatory needs to store encryption keys on premises or outside OCI can now do so, while migrating their applications to OCI. External KMS supports Thales CipherTrust Manager and support for other third-party key management systems is expected in the future.

External KMS offers the following benefits and more:

• Data sovereignty, compliance, and regulation: External KMS helps you to maintain control over your encryption keys and where you store them. This feature is beneficial for organizations that must comply with strict data sovereignty requirements, such as the EU General Data Protection Regulation (GDPR).
• Trust and assurance: External KMS enables you to own the cryptographic module and become the custodians for your encryption keys. This feature benefits organizations that must demonstrate their control over encryption processes to end-customers, partners, and stakeholders.

External KMS workflow

External KMS forwards encryption and decryption requests from OCI applications to the customer’s Thales CipherTrust Manager hosted by the customer outside of OCI. If Thales CipherTrust Manager is unavailable or disconnected, all requests fail because External KMS doesn’t import or maintain any copies of customer keys. You can use OCI Audit logs and Thales CipherTrust Manager to audit every encrypt and decrypt requests on the keys.

The following diagram shows the workflow of encrypt and decrypt requests:

Supported OCI services

OCI External KMS supports symmetric encryption keys and is compatible with applications that are already integrated with OCI Vault. As a result, you don’t have to modify applications to benefit from External KMS. You can use and associate keys in the same way as you would with OCI Vault and with the same SLA of 99.9%. The following services are integrated with OCI Vault and can benefit from External KMS without any changes:

• OCI Storage: Object Storage, Block Volume, and File Storage
• Oracle Container Engine for Kubernetes (OKE)
• OCI Database: Autonomous Database Dedicated, Autonomous Database Shared, Exadata Cloud Database, Database as a Service

Control versus operational load

External KMS gives you more control over your encryption keys, but it also comes with operational responsibility. You must administer, manage, and maintain encryption keys and hardware security modules (HSMs) on-premises. This ownership model is different from the existing OCI Vault service, where Oracle manages and administers the HSM infrastructure on behalf of customers. We believe that using OCI Vault provides the best customer experience for most use cases, and a small number of regulated workloads require External KMS.

How to set up and use External KMS

External KMS is available through the Oracle Cloud Console, API, and the CLI. To get started, create the hierarchy of vault and master encryption keys, also known as key references, because the actual key material isn’t stored in OCI. The hierarchy of vaults, master encryption keys, and data encryption keys remains the same for applications using External KMS, as shown in the following graphic:

To create the vault and master encryption keys, perform the following one-time configuration steps so that External KMS and Thales CipherTrust Manager can connect and securely communicate between each other.

Procure and provision Thales CipherTrust Manager and OCI FastConnect

1. To install Thales CipherTrust Manager, refer to the instructions for on-premises deployment of virtual CM appliances and on-premises deployment of physical CM servers.
2. We recommend installing FastConnect with Colocation with Oracle. Otherwise, see FastConnect with a Third-Party Provider.
   You can use site-to-site connect to connect your on-premises network to OCI, but we don’t recommend it for potential reliability issues. For instructions on how to set up site-to-site connections, see the blog, VPN Connect - Simple Implementation - Part 1/2.

Establish secure connectivity between OCI and Thales resources

To access Thales CipherTrust Manager, OCI customers must be authenticated and authorized. As an administrator, you control user access and permissions. The OCI External KMS service uses OAuth 2 protocol for authorization. To complete the process, you must perform the following tasks:

• Set up OAuth 2.0 in IDCS/Identity Domains for authentication and authorization
• Set up Confidential Resource Application to represent Thales CipherTrust Manager
• Associate Confidential Client Application with Confidential Resource Application
• Register the identity provider with JSON Web Token (JWT) Issuer
• Configure Identity and Access Management IAM policies

See details for these steps in OCI External KMS Documentation.

Create an external vault and external key in Thales

On the Thales Cipher Trust Manager, create an external vault and external key resources. The naming for these resources was intentionally chosen to resemble the resources in OCI for easy manageability. The success of these operations generates an external vault endpoint URI and an external key ID. This external key ID represents the actual key material. You can use this URI and ID when you create the vault and key references in OCI External KMS.

Create private endpoints in OCI

In the Oracle Cloud Console, under Key Management and Secret Management, create a private endpoint resource to access External KMS.

Creating a vault and key reference in OCI

After all the prerequisite configuration steps are complete, you can then move to creating the vault and key reference under External Key Management page in the Console.

Using keys

OCI External KMS is compatible with existing OCI applications that use OCI Vault. No changes occur to the user interface for associating Vault and Master Encryption Key with OCI applications. For example, the experience of using keys created in External KMS with database is the same as before.

Rotating key references

To rotate the master encryption key or key reference, first rotate the key in Thales CipherTrust Manager. Select Add Version to add a new external key version in Thales.

In OCI, select Rotate Key Reference and enter the external key version ID from the previous step. If this field is empty, External KMS automatically uses the most recent Version in Thales.

Pricing

OCI External KMS costs $3 per key version per month with no extra cost for the use of these key versions. You have a soft limit of 10 vaults and 100 key versions per vault.

To learn about CipherTrust Manager pricing and limits, contact Thales.

Next steps

OCI External KMS enables you to store your encryption keys outside OCI and use these keys to encrypt data in OCI services or applications. You control the keys and where they’re stored, which enables you to migrate data to OCI while helping address data sovereignty and regulatory needs.

You can read more in the technical documentation, but the best way to learn is to give it a try! Access the External KMS in the Oracle Cloud Console under Identity & Security and Key Management & Secret Management in the External Key Management tab in the Oracle Cloud Infrastructure navigation menu.