Restoring a key

Learn how to restore a vault key from a backup.

The restore a key feature is only available for keys in virtual private vaults. You can monitor the progress of the restore operation through the work request for the restore. See Using the Console to View Work Requests for more information.

    1. On the Master Encryption Keys list page, select Restore Key. If you need help finding the list page, see Listing Keys.
    2. Select a source. You can import a key backup from the following sources: an Object Storage bucket, a preauthenticated Object Storage URL, or a file on your local machine or a mapped network location.
    3. Do one of the following, depending on what you chose in the previous step:
      • Select a bucket from the dropdown menu. If needed, you can change the compartment to find a bucket in a different compartment, then use the Select a file menu to select the name of the file containing the backup of your key.
      • Select Object Storage URL, and then provide a preauthenticated URL for the file in OCI Object Storage that contains your key backup..
      • Using Upload a file, drag a file or select one from your local machine or a mapped network location to import a file containing a backup of a key.
    4. When you're finished, select Restore Key.
  • Use the oci kms management key restore command and required parameters to restore a key from Object Storage:

    oci kms management key restore --bucket-name <bucket_name> --from-json <json_input>

    Use the oci kms management key restore-from-file command and required parameters to restore a key from a file:

    oci kms management key restore-from-file --from-json <json_input>

    See Advanced JSON Options for information on using JSON input with this command.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use the RestoreKeyFromFile API or the RestoreKeyFromObjectStore API with the Management Endpoint to restore a key from a backup.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.