Oracle Cloud Infrastructure Documentation

Creating an External Key Management Vault

Learn how to create a vault in OCI External Key Management.

To create a vault in KMS side, you need the following details:
  • The external vault endpoint URL
  • Private endpoint OCID
  • Oauth metadata (IDCS URL, client application ID and client application secret)
Note

You must associate the confidential client app to identity domain, and this app is bound to confidential resource app (external key management) for authorization
    1. Open the navigation menu , select Identity & Security, and then select External Key Management.
    2. On the External key Management home page, select Create Vault.
    3. On the Create Vault page, provide the following details:
      • Name: Enter a name for the vault.
      • Description: Provide a short description.
      • Create in Compartment: Select a compartment for the OCI KMS vault.
      • IDCS Account Name URL: Enter the authentication URL that you use to access the KMS service. The Console redirects to a sign in screen.
      • Key Manager Vendor: Select a third-party vendor that deploys key management service. OCI External Key Management supports Thales external key management systems.
      • Client application ID:. Enter the OCI KMS client ID generated when you register the confidential client application in Oracle Identity Domain.
      • Client application secret: Enter the Secret ID of the confidential client application registered in the Oracle Identity Domain.
      • Private Endpoint compartment: Select the compartment of the private endpoint you want to use with the external key management vault.
      • Private Endpoint: Select the private endpoint to use with the external key management vault.
      • External Vault URL: Enter the vault URL that was generated when you created vault in external key management.
    4. Select Create Vault.

  • Use the oci kms management vault create command to create a new vault:

    oci kms management vault create –external-key-manager-metadata

    For example:

    
oci kms management vault create vault-1

    Avoid entering confidential information.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use the CreateVault API with the Management Endpoint to create an external vault.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.