Oracle Cloud Infrastructure Documentation

Disabling Key References

Lean how to disable key references in OCI External Key Management.

The "Disable" operation for a key and its key reference is a recoverable action as it can be enabled again. If an external key is disabled (temporarily unused state) on CipherTrust Manager (CM), you can disable its key reference in OCI KMS. As a result, the external key can no longer be used for cryptographic operations with Oracle data at rest.

    1. On the External Key Management Vaults page, find the vault that you want to work with. If you need help finding the list page or the vault, see Listing External Key Management Vaults.
    2. Select the name of the vault that has the key reference you're disabling.
    3. On the Keys tab, select the name of the a key reference you're disabling to view the key reference's details.
    4. Select Actions, then select Disable.
    5. Confirm that you want to disable the key reference.

    6. After disabling a key reference, all actions on the key reference gets disabled. However, on enabling it again, the actions become enabled.

  • Use the oci kms management key disable command with the Management Endpoint to disable a key reference:

    Open a command prompt and run oci kms management key disable to disable a key reference:

    oci kms management key disable –external-key-reference-id <target_key_id> --endpoint <control_plane_url>

    Avoid entering confidential information.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use the DisableKey API with the Management Endpoint to disable a key reference.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.