Oracle Cloud Infrastructure (OCI) Key Management & Secret Management

 

☁️ Introduction

In modern cloud environments, data protection goes beyond passwords and access control.
It’s about managing how your data is encrypted, stored, and accessed securely.

Oracle Cloud Infrastructure (OCI) provides two powerful services to handle this:

• OCI Key Management – to create and manage encryption keys.

• OCI Secret Management – to securely store credentials, passwords, and tokens.

Let’s explore both in detail and understand how they work together to secure your Oracle Cloud workloads.

🔹 Part 1: OCI Key Management

🔑 What is OCI Key Management?

OCI Key Management is a fully managed encryption service that allows you to create and manage customer-controlled encryption keys (CMEK) used to protect your data in OCI services.

Every time data is written to OCI storage, database, or object storage, it’s encrypted using encryption keys. These keys are managed in OCI’s Vault service, powered by FIPS 140-2 Level 3 compliant Hardware Security Modules (HSMs).

📘 Example:
When you store data in an Object Storage bucket, OCI automatically encrypts it.
But if you want full control (rotation, disable, delete), you use Customer Managed Keys (CMKs) via Key Management.

⚙️ Key Concepts

Term	Description
Vault	Logical container that stores keys and secrets.
Master Encryption Key (MEK)	The main key used to encrypt/decrypt other keys or data.
Key Version	Each rotation creates a new version; older versions can still decrypt old data.
HSM	Hardware module that securely stores keys (Oracle manages this hardware for you).

🪜 How to Create a Key in OCI

Here’s how you can create a new Master Encryption Key from the OCI Console:

1. Open the Navigation Menu → Identity & Security → Vault.

2. Click Create Vault → choose Compartment and Vault Type (Default/Virtual Private).

3. Once the vault is created, open it and click Master Encryption Keys → Create Key.

4. Provide a Key Name, Protection Mode (Software or HSM), and optionally enable Automatic Rotation.

💡 Pro Tip:
Always use HSM Protection Mode for production workloads.
It ensures keys never leave the hardware module, offering maximum security compliance.

🔁 Key Lifecycle Operations

You can perform the following key operations directly from the Vault:

Operation	Description
Rotate Key	Creates a new key version (useful for compliance or periodic rotation).
Disable/Enable	Temporarily restricts key usage.
Schedule Deletion	Permanently deletes the key after a waiting period (7–30 days).
Audit Key Usage	Track who accessed or used the key for encryption/decryption.

🔒 Integration Example

• Block Volume Encryption → Use a customer-managed key.

• Database Tablespace Encryption (TDE) → Store your TDE master key in OCI Vault.

• Object Storage Encryption → Encrypt buckets using a customer key from Vault.

📘 Example for DBAs:
You can integrate your Autonomous Database with a Vault key for TDE management — giving you full control over when and how encryption keys rotate.

🔹 Part 2: OCI Secret Management

🤫 What is Secret Management?

While Key Management protects data encryption, Secret Management secures your credentials and configuration secrets like:

• API keys

• Database passwords

• Tokens or SSH keys

• Application credentials

These secrets are encrypted using keys stored in Vault, ensuring that both keys and secrets are controlled under one unified security model.

🪜 How to Create a Secret in OCI

1. Navigate to Identity & Security → Vault.

2. Open your existing Vault → Click Secrets → Create Secret.

3. Enter a Secret Name and Secret Content (for example, a database password).

4. Select a Master Encryption Key to encrypt this secret.

5. Click Create Secret.

💡 Tip: You can version and rotate secrets without exposing them — applications can fetch the latest secret version dynamically via OCI SDK or API.

🔐 Accessing Secrets Securely

Applications can access stored secrets programmatically via:

• OCI CLI

• OCI SDKs (Python, Java, etc.)

• Resource Principals (for Autonomous DB, Functions, etc.)

📘 Example (Using OCI CLI):

oci vault secret get --secret-id <secret_ocid> --query 'data."secret-bundle-content".content' --raw-output

This retrieves the latest version of the secret securely — no manual handling or plaintext exposure.

🔁 Secret Lifecycle

Operation	Description
Create Secret	Store a new password or credential.
Rotate Secret	Add a new version when password or token changes.
Retrieve Secret	Fetch the secret when the application needs it.
Schedule Deletion	Securely delete secrets no longer needed.

🧩 Key Management vs. Secret Management

Feature	OCI Key Management	OCI Secret Management
Purpose	Manage encryption keys for data	Manage application secrets & credentials
Storage	Vault (HSM-backed)	Vault (encrypted using keys)
Use Case	Encrypt DB, storage, or backups	Store DB passwords, tokens, or API keys
Rotation	Rotates encryption keys	Rotates secret versions
Integration	Database, Object Storage, Block Volumes	Functions, DevOps, APIs

🧠 Real-World Example:

Let’s say you’re managing an Autonomous Database in OCI.
You can:

• Encrypt the database using a Key from OCI Vault (Key Management).

• Store the database password or connection string using Secret Management.

This ensures that both data at rest and credentials are fully secured within Oracle’s managed infrastructure.

⚙️ Best Practices

✅ Use One Vault per Environment:
Separate vaults for Dev, Test, and Production to isolate keys and secrets.

✅ Rotate Keys Regularly:
Set a 90-day rotation policy for compliance.

✅ Use Policies & Compartments:
Limit who can access keys/secrets using IAM policies.

✅ Integrate with Monitoring:
Enable Audit and Cloud Guard to detect unusual access patterns.

✅ Never Hardcode Secrets:
Always fetch them dynamically from OCI Secret Management using SDKs or Functions.

🏁 Conclusion

OCI Key Management and Secret Management are core pillars of Oracle Cloud security.
While Key Management protects your data, Secret Management protects your access — together ensuring complete encryption governance across your tenancy.

With Vault, you control the lifecycle of both keys and secrets — securely, automatically, and compliantly.