Use the vault master encryption keys for cryptographic operations.
For information about managing keys, see Managing Keys. For information about exporting keys, see Exporting Keys and Key Versions. For information about managing the vaults in which you store keys, see Managing Vaults.
Vault cryptographic operations include the following:
- Encrypting data
- Decrypting data
- Generating data encryption keys
- Signing data
- Verifying signed data
You can use either the command line interface (CLI) or API to perform cryptographic operations.
Required IAM Policy
Keys associated with volumes, buckets, file systems, clusters, and stream pools will not work unless you authorize Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming to use keys on your behalf. Additionally, you must also authorize users to delegate key usage to these services in the first place. For more information, see Let a user group delegate key usage in a compartment and Let Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools in Common Policies. Keys associated with databases will not work unless you authorize a dynamic group that includes all nodes in the DB system to manage keys in the tenancy. For more information, see Required IAM Policy in Exadata Cloud Service
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
For administrators: for typical policies that give access to vaults, keys, and secrets, see Let security admins manage vaults, keys, and secrets. For more information about permissions or if you need to write more restrictive policies, see Details for the Vault Service.
If you're new to policies, see Getting Started with Policies and Common Policies.
You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring and Notifications.
For information about monitoring the traffic associated with your master encryption keys, see Monitoring Vault Resources.