Set up an OCI Hold Your Own Key using Thales CipherTrust Manager without OCI API Gateway
Introduction
This tutorial provides step-by-step instructions to set up Hold Your Own Key (HYOK) with Thales CipherTrust Manager (CTM) without using the Oracle Cloud Infrastructure (OCI) API Gateway option. This approach allows you to control your encryption keys completely while enabling integration with OCI services that support external key management.
We will walk through the whole configuration, starting with reviewing the network architecture and setting up application integrations in OCI, then configuring the Thales CipherTrust Manager to communicate directly with Oracle Cloud Infrastructure External Key Management Service (OCI External Key Management Service) over a private endpoint. The tutorial also includes creating and registering identity providers, OCI tenancies, external vaults, and keys, as well as testing access to customer-managed object storage using these external keys.
By the end of this tutorial, you will have a fully operational HYOK setup, capable of encrypting and controlling access to OCI resources using externally managed keys hosted on your Thales CipherTrust Manager without the need for an intermediate OCI API Gateway.
Note: In this tutorial, the terms Thales CipherTrust Cloud Key Manager (CCKM) and Thales CipherTrust Manager (CTM) are used interchangeably. Both refer to the same product.
This tutorial builds upon the technical foundation established in the tutorial: Set Up Two Thales CipherTrust Cloud Key Manager Appliances in OCI, Create a Cluster between them, and Configure One as a Certificate Authority.
If you want to implement Hold Your Own Key (HYOK) using Thales CipherTrust Manager with OCI API Gateway option, follow this tutorial: Set up OCI Hold Your Own Key using CipherTrust Manager with the OCI API Gateway.
Objectives
- Task 1: Review the cloud network architecture.
- Task 2: Create a confidential resource app and associated confidential client applications (application integrations) and collect the client and secrets in OCI.
- Task 3: Collect the identity domain URL from OCI.
- Task 4: Create identity providers in Thales CipherTrust Manager.
- Task 5: Add Oracle tenancies in Thales CipherTrust Manager.
- Task 6: Create a private endpoint for the OCI External Key Manager Service.
- Task 7: Add external vaults in Thales CipherTrust Manager.
- Task 8: Create an OCI External Key Management Service vault.
- Task 9: Add external keys in Thales CipherTrust Manager.
- Task 10: Create key references in OCI.
- Task 11: Create an OCI Object Storage bucket with customer-managed keys.
- Task 12: Block and unblock Oracle keys and testing the object storage bucket accessibility in Thales CipherTrust Manager and OCI.
The following image illustrates the components and configuration set up all the steps in this tutorial.
Task 1: Review the Cloud Network Architecture
Before we dive into the technical steps of configuring Hold Your Own Key (HYOK) with Thales CipherTrust Manager, it is essential to understand the cloud network architecture in which this setup resides.
In this scenario, three OCI regions are used:
- Two OCI regions simulate on-premises data centers. These regions are connected to OCI through VPN tunnels, representing hybrid environments.
- The third OCI region represents the primary OCI environment and follows a hub-and-spoke Virtual Cloud Network (VCN) architecture. In this design:
- The hub VCN hosts shared network services such as firewalls.
- Multiple spoke VCNs connect to the hub and host various workloads.
Connectivity between the two simulated on-premises data centers is established using Remote Peering Connections (RPC). However, for this tutorial, the VPN setup, RPC configuration, and hub-and-spoke VCN architecture details are considered out of scope and will not be covered.
-
To set up VPN connections to OCI where a data centre is simulated, see Set up an Oracle Cloud Infrastructure Site-to-Site VPN with Static Routing Between two OCI Regions.
-
To set up RPC connections between OCI regions, see Set up RPC Connection between Two Tenants and their Dynamic Routing Gateways.
-
To set up an OCI hub and spoke VNC network architecture, see Route Hub and Spoke VCN with pfSense Firewall in the Hub VCN.
This tutorial focuses strictly on setting up HYOK using Thales CipherTrust Manager deployed in the Amsterdam (AMS) region, which is one of the simulated on-premises data centers. All key management operations will be performed from this Thales CipherTrust Manager instance.
The external key manager private enables OCI to communicate securely with the external Thales CipherTrust Manager and will be deployed in one of the spoke VCNs in the primary OCI region. This ensures a secure and direct communication path between OCI services and the external key manager without exposing the traffic to the public internet.
This architecture supports strong security and compliance postures for sensitive workloads in OCI by isolating the key management within a well-defined and secure network boundary.
The following image illustrates the complete architecture.
Task 2: Create a Confidential Resource Application and Associating Confidential Client Applications (Application Integrations) and Collect the Client and Secrets in OCI
To enable HYOK integration with Thales CipherTrust Manager, you must establish trust between OCI and the external key manager.
This is done by registering two key components in OCI Identity and Access Management (OCI IAM): a Confidential Resource Application and a Confidential Client Application. These are essential to authenticate and authorize communication between OCI and Thales CipherTrust Manager.
This setup enables the Thales CipherTrust Manager to authenticate with OCI IAM through OAuth 2.0. The confidential client acts on behalf of the external key manager, while the confidential resource defines the scope of access and trust configuration. OCI cannot validate or securely communicate with the external key source without these components.
The following image illustrates the components and configuration setup in this step.
-
Log in to the OCI Console, navigate to Identity & Security and click Domains.
-
Click the domain that you want to use for the authentication.
-
Click Integrated applications and Add application.
-
Select Confidential Application and click Launch workflow.
-
Enter application Name (
Resource_App
) and click Next. -
In the Resource Server configuration section, enter the following information.
- Select Configure this application as a resource server now.
- In Primary audience, enter
https://10.222.10.111/
(The IP address of the AMS CTM1 server).
-
In Add Scope, enter the following information.
- Select Add scopes.
- Click Add.
- In Scope, enter
oci_ekms
. - Click Add.
-
Notice the added scope
oci_ekms
and scroll down. -
In the Client configuration section, enter the following information.
- Select Configure this application as a client now.
- Select Client credentials.
- Click Next.
-
Click Skip and do later to skip the web tier policy creation and click Finish.
-
Go to the Integrated applications page.
- Notice that the
Resource_App
integration application is created. - Select the
Resource_App
integration application. - Click the Actions drop-down menu.
- Click Activate.
- Notice that the
-
Click Activate application.
-
Click the
Resource_App
integration application. -
Scroll down.
-
Copy the Client ID and store this on a notepad. Click Show secret to show the Client secret.
-
Click Copy to copy the Client secret and store this on a notepad. Click Close.
-
Click Add application.
-
Select Confidential Application and click Launch workflow.
-
Enter the application Name (
Client_App
) and click Next. -
In Resource Server configuration, select Skip for later.
-
In Client configuration, enter the following information.
- Select Configure this application as a client now.
- Select Client credentials.
- Scroll down.
-
In Add Scope, enter the following information.
- Select Add resources.
- Select Add scopes.
- In Scope, enter
Resource_App
. - Click Add.
-
Notice the added resource
Resource_App
and click Next. -
Click Skip and do later to skip the web tier policy creation and click Finish.
-
Go to the Integrated applications page.
- Notice that the
Client_App
integration application is created. - Select the
Client_App
integration application. - Click the Actions drop-down menu.
- Click Activate.
- Notice that the
-
Click Activate application.
-
Click the
Client_App
integration application. -
Scroll down.
-
Copy the Client ID and store this on a notepad. Click Show secret to show the Client secret.
-
Click Copy to copy the Client secret and store this on a notepad. Click Close.
Note:
- You have collected the
Resource_App
andClient_App
client IDs and client secrets.- Do not mix these two and configure them in the appropriate places.
Task 3: Collect the Identity Domain URL from OCI
To enable OAuth-based communication between OCI and Thales CipherTrust Manager, you need to provide the Identity Domain URL during the configuration of the identity provider in Thales CipherTrust Manager.
-
Go to the OCI Console, navigate to Identity & Security and click Domains.
-
Select the Identity Domain where your confidential applications were created.
-
In the domain details page, click Copy to copy Domain URL and store this on a notepad.
Task 4: Create Identity Providers in Thales CipherTrust Manager
In this task, you will configure the Identity Provider in the Thales CipherTrust Manager. This setup allows Thales CipherTrust Manager to authenticate with OCI using the OAuth 2.0 credentials created in Task 3.
The following image illustrates the components and configuration setup in this task.
-
In Thales CipherTrust Manager, go to the CTM1 in AMS and click Products and Cloud Key Manager.
-
Click KMS Containers, Oracle Vaults, select External Vaults and click Add Identity Provider.
-
In Add Identity Provider, enter the following information and click Add.
- Enter Name (
OCI
). - Select OpenID Configuration URL as the Provider Verifier.
- Enter OpenID Configuration URL, the domain URL copied in Task 3.
- Add the following suffix to the URL:
.well-known/openid-configuration
. So the full OpenID Configuration URL will be:https://idcs-<xxx>.identity.oraclecloud.com:443/.well-known/openid-configuration
.
- Add the following suffix to the URL:
- Select jwks Protected URL.
- Enter Client ID and Client Secret of the
Resource_App
integrated application.
- Enter Name (
-
Notice that the Identity Provider is created.
Task 5: Add OCI Tenancies in Thales CipherTrust Manager
After configuring the identity provider in Thales CipherTrust Manager, the next task is registering your OCI tenancy. This allows Thales CipherTrust Manager to manage external vaults and keys on behalf of your OCI environment using the previously configured OAuth credentials.
The following image illustrates the components and configuration set up in this task.
-
First, we must get the tenant’s name and OCID from OCI. Click your profile in the upper-right corner and click Tenancy.
-
Copy the tenant’s name and the tenant’s OCID and store both on a notepad.
-
Go to the Thales Cloud Key Manager Console.
- Click KMS Containers.
- Click Oracle Vaults.
- Click Tenancy.
- Click Add Tenancy.
-
In Add tenancy, enter the following information.
- Select Oracle Tenancy (no connection) as the method.
- Enter the Name of the tenancy collected from OCI.
- Enter the Tenancy OCID collected from OCI.
- Click Add.
-
Notice that the OCI tenant is added to the Thales CipherTrust Manager.
Task 6: Create a Private Endpoint for the External Key Manager Service in OCI
To securely connect OCI to the Thales CipherTrust Manager without exposing traffic to the public internet, you must create a Private Endpoint for the OCI External Key Management Service.
This ensures all communication between OCI and Thales CipherTrust Manager happens over a private, controlled network path.
Make sure the following prerequisites are met:
- The Thales CipherTrust Manager must be reachable from OCI through your private network setup. For example, through VPN.
- Ensure the subnet has routing and security rules allowing traffic to the Thales CipherTrust Manager instance.
The following image illustrates the components and configuration setup in this task.
-
In the OCI Console, navigate to Identity & Security and click Private Endpoints.
-
Go to Private Endpoints and click Create Private Endpoint.
-
In Create Private Endpoint, enter the following information.
- Enter private endpoint Name (
Private-Endpoint-For-Vault
). - Select a VCN and Subnet where this private endpoint needs to be in.
- Enter Private IP address of the External Key Manager as
10.222.10.111
The IP address of the AMS CTM1 server. - Enter Port as
443
. - Upload the External Key Management CA bundle and click Browse.
- Enter private endpoint Name (
-
We have selected the full chain certificate that was created in this tutorial: Set Up Two Thales CipherTrust Cloud Key Manager Appliances in OCI, Create a Cluster between them, and Configure One as a Certificate Authority, but you can also only select the CA Root certificate. Click Open.
-
Make sure the certificate, the root CA, or the full chain certificates of the Thales CipherTrust Manager is selected. Click Create.
-
Note that the Private Endpoint is created. Now, click the private endpoint.
-
Notice that the IP address of the private endpoint is configured.
Task 7: Add External Vaults in Thales CipherTrust Manager
With the OCI tenancy and private endpoint in place, the next task is to add an External Vault in Thales CipherTrust Manager. An external vault in Thales CipherTrust Manager is a logical container that maps to the external key management vault in OCI, enabling the Thales CipherTrust Manager to manage keys used for HYOK encryption.
The following image illustrates the components and configuration setup in this task.
-
Go to the Thales Cloud key Manager Console.
- Click KMS Containers.
- Click Oracle Vaults.
- Select External Vaults.
- Click Add External Vault.
-
In Add External Vault, enter the following information.
- Enter Name (
OCI
). - Select Oracle Tenancy (no connection) as the Methods.
- Select the Tenancy create in Task 5.
- Select the Issuer, the identity provider created in Task 4.
- Scroll down.
- Enter Client ID of the
Client_App
integrated application. - Enter the Endpoint URL Hostname as
10.222.10.111
, the IP address of the AMS CTM1 server. - Enter Port as
443
. - Click Add.
- Enter Name (
-
Notice that the external vault is configured. Copy the external vault URL and store this on a notepad.
Once configured, this vault becomes the target location for storing external keys that OCI services will reference. It bridges your OCI environment and the CipherTrust-managed keys, enabling complete control over encryption operations in a HYOK model.
Task 8: Create an OCI External Key Management Service Vault
Now that the external vault has been defined in Thales CipherTrust Manager, the next task is to create a corresponding External Key Management Vault in the OCI Console.
This OCI vault will be linked to your Thales CipherTrust Manager and used by OCI services to perform encryption and decryption operations using external keys.
The following image illustrates the components and configuration setup in this task.
-
Retrieve the Domain URL from Task 3, you will need this to configure the external key vault in OCI.
-
In the OCI Console, go to Identity & Security and click External Key Management.
-
Click Create Vault.
-
In Create Vault, enter the following information.
- Enter Name (
OCI_EKMS_Vault
). - Enter IDCS Account Name URL, the domain URL copied from Task 7. So the full URL will be:
https://idcs-<xxx>.identity.oraclecloud.com:443/
. - Enter Client ID and Client Application Secret of the
Client_App
integrated application. - Scroll down.
- Select the Private Endpoint created in Task 6.
- Enter the external vault URL copied from Task 7 when we created the external vault on CTM1.
- Click Create Vault.
- Enter Name (
-
Note that the vault has been created. Now, click the vault.
-
Review the Vault Details.
OCI will now connect to your Thales CipherTrust Manager using the specified private endpoint. Once this vault is active, it becomes the interface through which OCI interacts with external keys managed by CCKM—enabling HYOK support for OCI services like OCI Object Storage, OCI Block Volumes, and more. Later, we will perform some tests with OCI Object Storage.
Task 9: Add External Keys in Thales CipherTrust Manager
With the external vault set up in Thales CipherTrust Manager and linked to OCI, the next task is to create or import the external encryption keys that OCI will use for HYOK-enabled services.
These keys reside securely within the Thales CipherTrust Manager and are referenced by OCI through the external key management interface. Depending on your organizational requirements, you can generate a new key directly within Thales CipherTrust Manager or import an existing one.
The following image illustrates the components and configuration setup in this task.
-
Go to the Thales Cloud Key Manager Console.
- Click Cloud Keys.
- Click Oracle.
- Click Add Key.
-
In Add Oracle Key, enter the following information.
- Select Oracle External (HYOK).
- Select the Thales CipherTrust Manager Vault created in Task 8.
- Select the Source to be CipherTrust (Local).
- Click Next.
-
In Source Key. enter the following information.
- Select the Source Key Material to be Create New Key.
- Enter the key Name (
CM_Key
). - Click Next.
-
In Configure Oracle Key, enter the following information.
- Enter Oracle Key Name (
CM_Key
). - Click Next.
- Enter Oracle Key Name (
-
Click Add Key.
-
Click Close.
-
Note the created key.
Once added, the key becomes available to OCI through the external key management vault. However, to allow OCI services to use the key, you must create a key reference in the OCI Console, which we will cover in the next task.
Note:
- These keys never leave the Thales CipherTrust Manager.
- OCI only sends encryption/decryption requests to the external key manager, ensuring you always maintain full control over key material.
Task 10: Create Key References in OCI
Once the external key has been created or imported into the Thales CipherTrust Manager, the next task is to create a key reference in the OCI Console. A key reference acts as a pointer that allows OCI services to access and use the external key stored in your Thales CipherTrust Manager through the external key management vault.
The following image illustrates the components and configuration setup in this task.
-
Go to the Thales Cloud Key Manager Console.
- Click Cloud Keys.
- Click Oracle.
- Click Key created in Task 9.
-
Note that the key will have an External Key ID, copy this ID.
-
Return to the vault in OCI created in Task 9 and click the vault.
-
Scroll down.
-
Click Create Key Reference.
-
In Create Key Reference, enter the following information.
- Enter Name (
OCI_Key_Reference
). - Enter the copied External Key ID (Thales CipherTrust Manager) key.
- Click Create Key Reference.
- Enter Name (
-
Note that the key reference has been created.
OCI will now associate this key reference with the external key managed in Thales CipherTrust Manager. This enables OCI services such as OCI Object Storage, OCI Block Volumes, and others to send cryptographic requests to the external key over the private endpoint. In contrast, the key material itself remains entirely under your control.
We will test the key reference immediately by attaching it to an OCI Object Storage bucket to verify that the integration is working as expected.
Task 11: Create an OCI Object Storage Bucket with Customer-Managed Keys
You can encrypt resources using the external key referenced in OCI. In this task, we will create an OCI Object Storage bucket that uses the external, customer-managed key hosted on the Thales CipherTrust Manager through the external key management vault.
This setup ensures that all objects stored in the bucket are encrypted using a key you fully control—meeting strict compliance, sovereignty, or internal policy requirements.
The following image illustrates the components and configuration setup in this task.
-
Go to the OCI Console, navigate to Storage and click Buckets.
-
Click Create Bucket.
-
In Create Bucket, enter the following information.
- Enter Name (
OCI_EKMS_Test_Bucket
). - Scroll down.
- In Encryption, select Encrypt using customer-managed keys.
- In Vault, select your External Key Management Vault create in Task 8.
- In Key, select key reference created in Task 10.
- Click Create.
- Enter Name (
-
Note that the bucket is created. Click the bucket.
-
You can scroll down to upload files or leave them empty.
-
Navigate to the home screen of the OCI console or any other page.
Once the bucket is created, all data stored in it will be encrypted using the external key managed by Thales CipherTrust Manager. This ensures that OCI relies on your key infrastructure for access and control, enabling complete Hold Your Own Key (HYOK) capabilities.
Suppose the external key becomes unavailable (for example, disabled or blocked in Thales CipherTrust Manager). In that case, access to the bucket and its contents will be denied—offering a powerful control point for your data security posture. This is something we will test in the next task.
Task 12: Block and Unblock Oracle Keys and Test the OCI Object Storage Bucket Accessibility in Thales CipherTrust Manager and OCI
One of the key benefits of the Hold Your Own Key (HYOK) model is the ability to retain complete operational control over your encryption keys including the power to block or unblock them at any time. This section demonstrates how to use Thales CipherTrust Manager to control access to an Oracle-managed object storage bucket by blocking or unblocking the external key.
Blocking a key effectively restricts access to any OCI resource encrypted with that key without deleting the key or the data. Unblocking restores access.
-
Go to the Thales Cloud Key Manager Console.
- Click Cloud Keys.
- Click Oracle.
- Click the three dots at the end of the Key.
- Select Block.
-
Select Block.
-
Note that the key is now Blocked in the Thales CipherTrust Manager.
-
Go to the OCI Console, navigate to Storage and click Buckets.
-
Click the bucket created in Task 11.
-
Note that you will now have an error and cannot access the bucket or any file uploaded in the bucket.
Now, let’s unblock the key in Thales CipherTrust Manager again.
The diagram below illustrates the components and configuration setup in this task.
-
Go to the Thales Cloud Key Manager Console.
- Click Cloud Keys.
- Click Oracle.
- Click the three dots at the end of the key.
- Select Unblock.
-
Select Unblock.
-
Note that the key is now unblocked in the Thales CipherTrust Manager.
-
Navigate back to the Bucket Details page, or refresh the browser if you are still on that page.
-
Note that you cannot re-access the OCI Object Storage bucket when unblocked.
This capability provides a powerful mechanism for emergency response, regulatory compliance, and data sovereignty enforcement—ensuring you maintain complete control over when and how your data is accessible in OCI.
Next Steps
In this tutorial, we completed setting up OCI Hold Your Own Key using Thales CipherTrust Manager without relying on the OCI API Gateway option. By following the steps from configuring identity integrations and networking to deploying external vaults and keys you have enabled a secure and compliant key management architecture where you maintain complete control over your encryption keys.
This setup ensures that OCI services like OCI Object Storage use your externally managed keys for encryption operations while the key material remains entirely under your governance. You have also seen how powerful HYOK can be, with the ability to block and unblock access to cloud resources simply by toggling key status within Thales CipherTrust Manager.
By not using the OCI API Gateway, you have simplified the architecture while still enforcing a firm security boundary through private networking and OAuth-based identity trust.
You now have a production ready HYOK implementation that supports enterprise security policies, regulatory compliance, and data sovereignty requirements, putting you in complete control of your cloud encryption strategy.
Related Links
Acknowledgments
- Author - Iwan Hoogendoorn (Cloud Networking Black Belt)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Set up an OCI Hold Your Own Key using Thales CipherTrust Manager without OCI API Gateway
G37924-01
Copyright ©2025, Oracle and/or its affiliates.