Set up an OCI Hold Your Own Key using Thales CipherTrust Manager without OCI API Gateway

Introduction

This tutorial provides step-by-step instructions to set up Hold Your Own Key (HYOK) with Thales CipherTrust Manager (CTM) without using the Oracle Cloud Infrastructure (OCI) API Gateway option. This approach allows you to control your encryption keys completely while enabling integration with OCI services that support external key management.

image

We will walk through the whole configuration, starting with reviewing the network architecture and setting up application integrations in OCI, then configuring the Thales CipherTrust Manager to communicate directly with Oracle Cloud Infrastructure External Key Management Service (OCI External Key Management Service) over a private endpoint. The tutorial also includes creating and registering identity providers, OCI tenancies, external vaults, and keys, as well as testing access to customer-managed object storage using these external keys.

By the end of this tutorial, you will have a fully operational HYOK setup, capable of encrypting and controlling access to OCI resources using externally managed keys hosted on your Thales CipherTrust Manager without the need for an intermediate OCI API Gateway.

image

Note: In this tutorial, the terms Thales CipherTrust Cloud Key Manager (CCKM) and Thales CipherTrust Manager (CTM) are used interchangeably. Both refer to the same product.

This tutorial builds upon the technical foundation established in the tutorial: Set Up Two Thales CipherTrust Cloud Key Manager Appliances in OCI, Create a Cluster between them, and Configure One as a Certificate Authority.

If you want to implement Hold Your Own Key (HYOK) using Thales CipherTrust Manager with OCI API Gateway option, follow this tutorial: Set up OCI Hold Your Own Key using CipherTrust Manager with the OCI API Gateway.

Objectives

image

The following image illustrates the components and configuration set up all the steps in this tutorial.

image

Task 1: Review the Cloud Network Architecture

Before we dive into the technical steps of configuring Hold Your Own Key (HYOK) with Thales CipherTrust Manager, it is essential to understand the cloud network architecture in which this setup resides.

In this scenario, three OCI regions are used:

Connectivity between the two simulated on-premises data centers is established using Remote Peering Connections (RPC). However, for this tutorial, the VPN setup, RPC configuration, and hub-and-spoke VCN architecture details are considered out of scope and will not be covered.

This tutorial focuses strictly on setting up HYOK using Thales CipherTrust Manager deployed in the Amsterdam (AMS) region, which is one of the simulated on-premises data centers. All key management operations will be performed from this Thales CipherTrust Manager instance.

The external key manager private enables OCI to communicate securely with the external Thales CipherTrust Manager and will be deployed in one of the spoke VCNs in the primary OCI region. This ensures a secure and direct communication path between OCI services and the external key manager without exposing the traffic to the public internet.

This architecture supports strong security and compliance postures for sensitive workloads in OCI by isolating the key management within a well-defined and secure network boundary.

The following image illustrates the complete architecture.

image

Task 2: Create a Confidential Resource Application and Associating Confidential Client Applications (Application Integrations) and Collect the Client and Secrets in OCI

To enable HYOK integration with Thales CipherTrust Manager, you must establish trust between OCI and the external key manager.

This is done by registering two key components in OCI Identity and Access Management (OCI IAM): a Confidential Resource Application and a Confidential Client Application. These are essential to authenticate and authorize communication between OCI and Thales CipherTrust Manager.

This setup enables the Thales CipherTrust Manager to authenticate with OCI IAM through OAuth 2.0. The confidential client acts on behalf of the external key manager, while the confidential resource defines the scope of access and trust configuration. OCI cannot validate or securely communicate with the external key source without these components.

The following image illustrates the components and configuration setup in this step.

image

Note:

Task 3: Collect the Identity Domain URL from OCI

To enable OAuth-based communication between OCI and Thales CipherTrust Manager, you need to provide the Identity Domain URL during the configuration of the identity provider in Thales CipherTrust Manager.

Task 4: Create Identity Providers in Thales CipherTrust Manager

In this task, you will configure the Identity Provider in the Thales CipherTrust Manager. This setup allows Thales CipherTrust Manager to authenticate with OCI using the OAuth 2.0 credentials created in Task 3.

The following image illustrates the components and configuration setup in this task.

image

Task 5: Add OCI Tenancies in Thales CipherTrust Manager

After configuring the identity provider in Thales CipherTrust Manager, the next task is registering your OCI tenancy. This allows Thales CipherTrust Manager to manage external vaults and keys on behalf of your OCI environment using the previously configured OAuth credentials.

The following image illustrates the components and configuration set up in this task.

image

Task 6: Create a Private Endpoint for the External Key Manager Service in OCI

To securely connect OCI to the Thales CipherTrust Manager without exposing traffic to the public internet, you must create a Private Endpoint for the OCI External Key Management Service.

This ensures all communication between OCI and Thales CipherTrust Manager happens over a private, controlled network path.

Make sure the following prerequisites are met:

The following image illustrates the components and configuration setup in this task.

image

Task 7: Add External Vaults in Thales CipherTrust Manager

With the OCI tenancy and private endpoint in place, the next task is to add an External Vault in Thales CipherTrust Manager. An external vault in Thales CipherTrust Manager is a logical container that maps to the external key management vault in OCI, enabling the Thales CipherTrust Manager to manage keys used for HYOK encryption.

The following image illustrates the components and configuration setup in this task.

image

Once configured, this vault becomes the target location for storing external keys that OCI services will reference. It bridges your OCI environment and the CipherTrust-managed keys, enabling complete control over encryption operations in a HYOK model.

Task 8: Create an OCI External Key Management Service Vault

Now that the external vault has been defined in Thales CipherTrust Manager, the next task is to create a corresponding External Key Management Vault in the OCI Console.

This OCI vault will be linked to your Thales CipherTrust Manager and used by OCI services to perform encryption and decryption operations using external keys.

The following image illustrates the components and configuration setup in this task.

image

OCI will now connect to your Thales CipherTrust Manager using the specified private endpoint. Once this vault is active, it becomes the interface through which OCI interacts with external keys managed by CCKM—enabling HYOK support for OCI services like OCI Object Storage, OCI Block Volumes, and more. Later, we will perform some tests with OCI Object Storage.

Task 9: Add External Keys in Thales CipherTrust Manager

With the external vault set up in Thales CipherTrust Manager and linked to OCI, the next task is to create or import the external encryption keys that OCI will use for HYOK-enabled services.

These keys reside securely within the Thales CipherTrust Manager and are referenced by OCI through the external key management interface. Depending on your organizational requirements, you can generate a new key directly within Thales CipherTrust Manager or import an existing one.

The following image illustrates the components and configuration setup in this task.

image

Once added, the key becomes available to OCI through the external key management vault. However, to allow OCI services to use the key, you must create a key reference in the OCI Console, which we will cover in the next task.

Note:

Task 10: Create Key References in OCI

Once the external key has been created or imported into the Thales CipherTrust Manager, the next task is to create a key reference in the OCI Console. A key reference acts as a pointer that allows OCI services to access and use the external key stored in your Thales CipherTrust Manager through the external key management vault.

The following image illustrates the components and configuration setup in this task.

image

OCI will now associate this key reference with the external key managed in Thales CipherTrust Manager. This enables OCI services such as OCI Object Storage, OCI Block Volumes, and others to send cryptographic requests to the external key over the private endpoint. In contrast, the key material itself remains entirely under your control.

We will test the key reference immediately by attaching it to an OCI Object Storage bucket to verify that the integration is working as expected.

Task 11: Create an OCI Object Storage Bucket with Customer-Managed Keys

You can encrypt resources using the external key referenced in OCI. In this task, we will create an OCI Object Storage bucket that uses the external, customer-managed key hosted on the Thales CipherTrust Manager through the external key management vault.

This setup ensures that all objects stored in the bucket are encrypted using a key you fully control—meeting strict compliance, sovereignty, or internal policy requirements.

The following image illustrates the components and configuration setup in this task.

image

Once the bucket is created, all data stored in it will be encrypted using the external key managed by Thales CipherTrust Manager. This ensures that OCI relies on your key infrastructure for access and control, enabling complete Hold Your Own Key (HYOK) capabilities.

Suppose the external key becomes unavailable (for example, disabled or blocked in Thales CipherTrust Manager). In that case, access to the bucket and its contents will be denied—offering a powerful control point for your data security posture. This is something we will test in the next task.

Task 12: Block and Unblock Oracle Keys and Test the OCI Object Storage Bucket Accessibility in Thales CipherTrust Manager and OCI

One of the key benefits of the Hold Your Own Key (HYOK) model is the ability to retain complete operational control over your encryption keys including the power to block or unblock them at any time. This section demonstrates how to use Thales CipherTrust Manager to control access to an Oracle-managed object storage bucket by blocking or unblocking the external key.

Blocking a key effectively restricts access to any OCI resource encrypted with that key without deleting the key or the data. Unblocking restores access.

image

image

Now, let’s unblock the key in Thales CipherTrust Manager again.

The diagram below illustrates the components and configuration setup in this task.

image

This capability provides a powerful mechanism for emergency response, regulatory compliance, and data sovereignty enforcement—ensuring you maintain complete control over when and how your data is accessible in OCI.

Next Steps

In this tutorial, we completed setting up OCI Hold Your Own Key using Thales CipherTrust Manager without relying on the OCI API Gateway option. By following the steps from configuring identity integrations and networking to deploying external vaults and keys you have enabled a secure and compliant key management architecture where you maintain complete control over your encryption keys.

This setup ensures that OCI services like OCI Object Storage use your externally managed keys for encryption operations while the key material remains entirely under your governance. You have also seen how powerful HYOK can be, with the ability to block and unblock access to cloud resources simply by toggling key status within Thales CipherTrust Manager.

By not using the OCI API Gateway, you have simplified the architecture while still enforcing a firm security boundary through private networking and OAuth-based identity trust.

You now have a production ready HYOK implementation that supports enterprise security policies, regulatory compliance, and data sovereignty requirements, putting you in complete control of your cloud encryption strategy.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.