Backing up a Key

Learn how to back up a master encryption key.

The backup a key feature is only available for keys in virtual private vaults. You can monitor the progress of the backup operation through the work request for the backup. See Using the Console to View Work Requests for more information.

  • This task can't be performed using the OCI Console.

    1. On the Master Encryption Keys list page, find the key that you want to work with. If you need help finding the list page, see Listing Keys.
    2. Select the name of the Master Encryption Key to view the details for the key.
    3. Select Actions, then select Back Up Key.
      1. Select a source: export a backup to either an Existing Object Storage Bucket (recommended) or a preauthenticated Object Storage URL for an bucket that you can write to.
      2. Do one of the following, depending on what you chose in the previous step:
        • Select a bucket from the drop down menu. If needed, you can change the compartment to find a bucket in a different compartment. Then, specify the Backup Name. Avoid entering confidential information.
        • Select Object Storage URL, and then provide a preauthenticated URL for an object.
      3. When you're finished, select Back Up Key. (Note the compartment so that you can restore this resource to the same compartment later.)
  • Use the oci kms management key backup command and required parameters to back up a key:

    oci kms management key backup --bucket-name <bucket_name> --from-json <json_input>

    See Advanced JSON Options for information on using JSON input with this command.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use the BackupKey API with the Management Endpoint to back up a key.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.