Oracle Cloud Infrastructure (OCI) Vault lets you to centrally manage and control use of keys and secrets across a wide range of OCI services and applications. Vault is a secure and resilient managed service that lets you focus on your data encryption needs without requiring you to worry about time-consuming administrative tasks such as hardware provisioning, software patching and high-availability. It uses hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification, to protect your keys. With HSM protected keys, all the cryptographic operations and storage of keys are inside the HSM. This has been the only protection mode supported so far.
We’re excited to announce the general availability of Software Protected Keys in OCI Vault service. You now have the flexibility to control how your encryption keys are protected - either in the HSM or in Software. With the Software Protected Keys, your encryption keys are stored and processed in software but are secured at rest with a root key from HSM. Software Protected Keys can be exported outside the Vault to achieve higher availability and improved latency for cryptographic operations within your applications. You can get an increased number of keys to protect your data as Software Protected Keys are not limited by the availability of HSM keys. We want Software Protected Keys to be easily available and used by all OCI customers, thus this feature is available at no charge.
Software Protected Keys is available via the Console, API, and the CLI, similar to HSM protected keys, so that you can manage them with just a few clicks or a Terraform script.
The following are some details on how you can manage Software Protected Keys.
Management of Keys
Vault service has a new field called Protection Mode under Create Key operation. This allows you to control where your Master Encryption Keys (MEK) are stored and processed - either in the HSM or in the Software. The default option is to create HSM protected keys.
The below image shows an example of Create Key operation with the Protection Mode field.
You can now distinguish your MEKs whether it’s protected by HSM or Software in the Vault details page with an option to Filter them based on the Protection Mode.
The below image shows an example of a Vault details page.
Export of Keys
Vault service has a new cryptographic operation called Export Key to export the software protected MEK outside the Vault. You can use the key locally within your application to perform cryptographic operations. Once your operation is complete, we recommend you discard the key from your local memory as you can retrieve the software protected MEK from the Vault service as and when required. The export operation is only allowed on software protected keys.
The below command lets you export a software-protected MEK
oci kms crypto key export --key-id <key_OCID> --algorithm <encryption_algorithm> --public-key <public_RSA_wrapping_key> --endpoint <data_plane_url>
As with HSM protected keys, Software Protected Keys support on-demand key rotation to help meet compliance requirements like Payment Card Industry (PCI) DSS. Security is further enabled by limiting the amount of information protected by a specific key. As with all other OCI Vault service features, Software Protected Keys management and cryptographic operations will be logged in OCI Audit log to meet your audit needs. The below image shows an example of a Key detail page that provides the Rotate Key operation.
Cost and effort shouldn't get in your way when securing your environments on OCI. As a result, we offer Software Protected Keys and the operations associated with it at zero cost to Oracle Cloud Infrastructure customers.
In summary, Software Protected Keys gives you the control to choose where your encryption keys should be stored and processed as required by your workloads. You can read more about how the feature works in the technical documentation. But the best way to learn about it is to give it a try! You can access the Software Protected Key feature in the OCI Console through Security->Vault tab in the OCI navigation menu.
Sign up for a Free Tier account and look for yourself.