Replicating Vaults and Keys

Replicate private vaults and keys for disaster recovery scenarios. Replication helps in reading keys in a vault from a different region within the same realm.


You cannot replicate a vault unless it was created as a virtual private vault. Because virtual private vaults are not included as an Always Free resource, you must request the appropriate service limits in the destination region where you want to replicate the vault before you configure replication.

You can replicate virtual private vaults from one region to another region to make them and the keys that they contain available to meet compliance requirements or to improve latency.

When you configure cross-region replication for a virtual private vault, the Vault service automatically synchronizes the creation, deletion, update, or move of any keys or key versions between the initiating vault and a vault in one destination region. The vault from which the service replicates data is known as the source vault. The vault in the destination region to which the service replicates data from the source vault is known as the vault replica.

The service supports cryptographic operations against the vault and keys in the destination region. Management operations against the vault and keys in the destination region are not supported. For example, you cannot create keys directly in the vault replica, nor can you back up a vault replica. You can note the cryptographic endpoint of the vault in the destination region by viewing the replica details and begin using that endpoint when needed.

Following are the Vault Backup operations:

When you want to stop replication, you only need to delete the vault replica. Only one destination vault can exist for a given source vault at any time, so you must delete the existing vault replica if you want to set up replication to a different destination region.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: for a typical policy that gives access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. Besides policies for users and groups, you must also write a policy that gives the Vault service the ability to do everything with vaults so it can create and manage vaults on your behalf during replication. For example, the following policy gives permission to the service in all regions realm-wide:

Allow service keymanagementservice to manage vaults in tenancy

To restrict permissions to specific compartments, specify the compartment instead. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.