Replicating Vaults and Keys

Replicate private vaults and keys for disaster recovery scenarios. Replication helps in reading keys in a vault from a different region within the same realm.

Note

You cannot replicate a vault unless it was created as a virtual private vault. Because virtual private vaults are not included as an Always Free resource, you must request the appropriate service limits in the destination region where you want to replicate the vault before you configure replication.

You can replicate virtual private vaults from one region to another region to make them and the keys that they contain available to meet compliance requirements or to improve latency.

When you configure cross-region replication for a virtual private vault, the Vault service automatically synchronizes the creation, deletion, update, or move of any keys or key versions between the initiating vault and a vault in one destination region. The vault from which the service replicates data is known as the source vault. The vault in the destination region to which the service replicates data from the source vault is known as the vault replica.

The service supports cryptographic operations against the vault and keys in the destination region. Management operations against the vault and keys in the destination region are not supported. For example, you cannot create keys directly in the vault replica, nor can you back up a vault replica. You can note the cryptographic endpoint of the vault in the destination region by viewing the replica details and begin using that endpoint when needed.

When you want to stop replication, you only need to delete the vault replica. Only one destination vault can exist for a given source vault at any time, so you must delete the existing vault replica if you want to set up replication to a different destination region.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: for a typical policy that gives access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. Besides policies for users and groups, you must also write a policy that gives the Vault service the ability to do everything with vaults so it can create and manage vaults on your behalf during replication. For example, the following policy gives permission to the service in all regions realm-wide:

Allow service keymanagementservice to manage vaults in tenancy

To restrict permissions to specific compartments, specify the compartment instead. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Use the Console to replicate vaults and view replicated keys details.

Note

You can only replicate active virtual private vaults and active, enabled, or disabled keys.
To replicate a vault and its keys
Note

A given virtual private vault can only have one vault replica and the replica must exist in a different region in the same realm. When you replicate a vault, the service automatically replicates all existing keys. Replication does not include secrets.
  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault that you want to replicate.
  3. From the list of vaults in the compartment, click the name of the vault that you are interested in.

  4. Click Replicate Vault.
  5. In the Replicate Vault dialog box, choose a destination region from the list, and then click Create Replica.
To view the details of a vault replicated from another vault
Note

This procedure describes how to view the details of the vault that is created when replication is configured on a source vault.
  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault configured for replication whose details you want to view.
  3. From the list of vaults in the compartment, click the name of the source vault.

  4. Click View Replica Details.
  5. The details of the replicated vault include the following:
    • Destination Region: The region in which the vault replica exists.
    • Replication State: The current state of the vault in the destination region regarding replication. (A vault's replication state is unrelated to its lifecycle state. The lifecycle state of the vault in the destination region matches the lifecycle state of the vault in the source region.)
    • Creation Date: The date that you started replicating data to the vault in the destination region.
    • Destination Vault Name: The name of the vault in the destination region.
    • OCID: The unique, Oracle-assigned ID of the vault in the destination region.
    • Management Endpoint: The endpoint to use if you need to begin sending requests for management operations to the vault in the destination region.
    • Cryptographic Endpoint: The endpoint to use in the event you need to begin sending requests for cryptographic operations to the vault in the destination region.

To the view the actual details page of a vault replica, you must access the Vault service in the region where the vault replica exists. For more information about choosing a different region, see Switching Regions.

Although you can view a vault replica and its contents, you cannot perform any administrative actions directly on the vault replica from its details page. Any updates to the vault in the destination region happen as a result of updates to the vault in the source region.

To view replicated keys
  1. The currently selected region is displayed at the top of the Console. From the Region menu, select the region that you chose as the destination region when you configured replication.
  2. Open the navigation menu, click Identity & Security, and then click Vault.
  3. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault that has the keys you are interested in.
  4. From the list of vaults in the compartment, click the name of the vault.
  5. To see a list of keys in this vault, click Master Encryption Keys. You can see keys in other compartments by changing the list scope.
To delete a vault replica
Note

When you configure replication on a vault, deleting the replicated vault stops replication, but otherwise has no impact on its source.
  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment that contains the vault with a replica that you want to delete.
  3. From the list of vaults in the compartment, click the name of the vault.

  4. Click View Replica Details.
  5. Click the Actions menu (three dots), and then click Delete Replica.
  6. In the Confirm Deletion dialog box, click the box, and then type the name of the vault in the destination region.
  7. When you are finished, click Delete Replica.