Generating a Data Encryption Key from a Master Encryption Key
Learn how to generate a data encryption key from a master encryption key using the CLI or API.
- Ensure that when you create a data encryption key, the data encryption key has equal or greater encryption strength to that of the master encryption key used to create it.
- You can only use AES symmetric keys to generate data encryption keys. You can't generate data encryption keys using any other algorithm.
This task isn't available in the OCI Console.
Open a command prompt and run
oci kms crypto generate-data-encryption-keyto generate a data encryption key that you can then use to encrypt and decrypt data:oci kms crypto generate-data-encryption-key --key-id <master_encryption_key_OCID> --key-shape '{"algorithm":"AES", "length":<key_length>}' --include-plaintext-key <boolean_value> --endpoint <kms_vault_api_endpoint>For example:
oci kms crypto generate-data-encryption-key --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --key-shape '{"algorithm":"AES", "length":16}' --include-plaintext-key true --endpoint https://exampleaaacu3-crypto.kms.us-ashburn-1.oraclecloud.comFor a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.
Use the GenerateDataEncryptionKey API with the Cryptographic Endpoint to generate a data encryption key.
Note
The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.
The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.
You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.
For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.