What two types of encryption keys are recognized by the Oracle cloud infrastructure Vault service?

Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 1 - 4 out of 45 pages.

By default, data stored on Oracle Public Cloud is encrypted using Oracle Managed Keys, however, as a customer you can have your own Key Management on Oracle Cloud Infrastructure (OCI) using OCI Vault Service.

OCI Vault is a managed service that lets customer centrally manage the encryption keys that protect their data and the secret credentials that they use to securely access resources. Typically developer or administrators store encryption keys and secrets in configuration files or in code, now instead of that use OCI…

Vault Introduction - Part 1

Welcome to the course Oracle Cloud Infrastructure Architect Associate. The course prepares you for the Oracle Cloud Infrastructure Architect Associate Certification. Kickstart your journey on Oracle Cloud by getting to know its Architecture, User Management, Basics of VCN and network security, Autoscaling and more.

View Syllabus

OCI Security using WAF, Observability and Management platform on OCI, Databases on Oracle Cloud and their applications, OCI User management, user management

[MUSIC] Welcome to this lesson on OCI Vault where we are going to look at some of those OCI Vault basics. OCI Vault is a managed service that lets you centrally manage encryption keys and secret credentials. It supports various algorithms like AES, RSA and ECDSA algorithms. We looked at some of these in the basics of encryptions to the previous lessons. Several OCI services integrate with the OCI Vault Service. And the primary concepts on the Vault Service which you need to understand are the world's themselves keys and secrets and recover each of these in subsequent lessons. The whole idea of Vault is you can centrally manage encryption keys and secret credentials. And the idea is world removes the need to store these encryption keys and secrets in configuration files or in court. So, it's kind of a best practice. You should use service like a world and then it helps improve the overall security posture in your organization. So, let's look at each of these concepts in greater details starting with words. So, walls are nothing but logical entities where the Vault service creates and durably stores keys and secrets. Now, when you create Vault, right? Depending on their kind of protection mode, we'll talk about those keys are either stored on a server. Or they are stored on these highly available and durable hardware security modules called HSMs that meet the [INAUDIBLE] 140 dash to security level three security certification. That's kind of a mouthful. But think about this as kind of one of the highest independent assurance that the design and implementation of the product. And the cryptographic algorithms behind it are pretty sound. So, this is kind of internationally recognized standards. So, HSMs are used to durably back up these keys inside the Vault. Now, there are two kinds of Vault as we discussed. Just talked about, right? The first one is called Virtual Private Vault. So, think about this as a dedicated isolated partition in an HSM. So you take an HSM, you create several partitions on them. And the virtual private Vault is basically your own dedicated partition. And as a result, you can store up to 1000 key versions. We will look into what key versions are. You have a better isolation, of course, right? Because it's dedicated to you. And one advantage with a virtual private Vault is you can back up the Vault and the keys to object storage. So they can really be helpful in disaster recovery scenarios and cross region replication etcetera. So, think about these as kind of more advanced version of the product. And then, there's something called a shared partitions. You take one partition and then the same partition is shared with multiple tenants with multiple customers. And as a result, it's still quite secure. But as a result, you don't get some of the benefits. You cannot back up the object storage. And you get charged for the number of keys and the key versions and the secrets which are stored and we'll look into this as we go into the console will do a quick demo. What are keys? Well, keys theological entities that represent one or more key versions, each of which contained cryptographic material. What keys are in the previous lesson on encryption basics keys, encryption, cryptographic material is generated for a specific alga rhythm. Either AES, RSA or ECDSA, and that lets you use the key for encryption or decryption or for digital signing. Now, in the vault service, basically there are three kinds of keys which you need to care about. The master encryption keys. Data encryption keys and the wrapping keys. And we'll look into each of these in greater detail. So, let's start with master encryption keys. What are these, right? And look into data encryption key as well. So, master encryption key just kind of because it's mouthful on the slide kind of shortened it to MEK. People also refer to as master encryption keys. So, the idea is these are the keys you create or import in the vault. MEKs are used to generate what are called as data encryption keys will look into why why that's the case. Master encryption keys are always created in a vault. And protection mode, they're kind of two protection mode indicates how these keys persist and where cryptographic operations are performed. So, when you talk about vault and you talk about keys pretty much every time you're talking about master encryption keys, right? These are the keys which you use to encrypt and decrypt but you will see that it's actually behind the scenes a little bit more complex. So, there's also this concept of data encryption keys and data encryption keys are generated by the master encryption keys. And these are used to encrypt data, write data encryption key themselves are encrypted with master encryption key. And this is known as an envelope encryption. And you will see why envelope encryption makes sense in subsequent lessons. But the idea is the OCI services like block storage or file storage. They don't have access to the plaintext data encryption key. I mean they have access but they use it for encryption or decryption and they remove it from memory as soon as possible after usage. So, this is what is being shown on the graphic on the right hand side. So as we said, when you talk about key most of the time you're represented as master encryption keys. These keys are generated always created inside the world and depending on the protection mode, sometimes you cannot even export them outside the vault. And what the master encryption key does is it generates this thing called a data encryption key. As you can see here data encryption keys is kind of plain text key and then it also encrypts the data encryption key. And it sends it to the different services. The services use the plain text data encryption key to do encryption or decryption and then they remove it from memory as soon as possible. And the store the encrypted data encryption key as you know as part of their storage. And we'll look into that in a subsequent lesson. But you can see how this kind of data encryption key is itself encrypted with a master encryption key. And that process is called envelope encryption. So, let's look at this and then I'll switch over to the console and we'll do a quick demo. Now, master encryption keys can have one or two protection mode. The first one is called HSM. And as we talked these keys are durably backed by highly available and durable HSMs. So, when you choose this HSM protection mode the keys as you can imagine are stored in an HSM. It cannot be exported from HSM and all cryptographic operations happen inside HSM. So, this is like the most secure kind of environment you can get. The second option is called what we refer to as software. In this case, the master encryption keys are stored on a server. They can be exported to perform cryptographic operations. Obviously they're stored on the server but they're protected by law addressed. And they can be encrypted by a root key on the HSM. And there are different kind of pricing mechanisms whether if you want the keys to be stored on HSM. Or you want the keys to be stored on software. With that, let me switch over quickly to the consult and run through a quick demo.