OCI Vault – Key Management Service

[Audio] O-C-I Vault – Key Management Service Protect your data using customer managed keys Hi Gsc.

[Audio] This is first page.

[Audio] Agenda Introduction to OCI-Vaults (K-M-S--).

[Audio] Introduction to OCI-Vaults Introduction to O-C-I vault.

[Audio] O-C-I Vault (1/2) Oracle Cloud Infrastructure Vault is a managed service that lets you centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Vaults securely store master encryption keys and secrets that you might otherwise store in configuration files or in code. The Vault service to create and manage the following resources: Vaults Keys Secrets HSM Protected A close up of a logo Description automatically generated Master Encryption Keys Native O-C-I Storage Database Image signing Secrets.

[Audio] O-C-I Vault (2/2) Centralized and customer controlled key management Natively integrated to many O-C-I services: OCI-Native Storage, DBaaS (ADB-D, ExaCS), O-K-E--, Streams Fully managed and highly available service Availability 99.9% S-L-As and 99.99% S-L-O-s Support regulatory compliance Meets PCI DSS and fips 140-2 Level 3 standard for cryptographic processing.

[Audio] O-C-I Encryption Portfolio More Control Simple Control Customer-managed encryption (KMS – Virtual Private Vault) Customer-managed encryption (External keys*) Oracle-managed encryption Customer-managed encryption (KMS Vault) Default No access and control over keys Customer control and manage keys Multi-tenant H-S-M-s Customer control and manage keys Single-tenant H-S-M-s Customer control and manage keys On premise H-S-M-s *future.

[Audio] Key Management Vault types K-M-S Vault (Multi-tenant H-S-M-) Virtual Private Vault (Single-tenant H-S-M-) Software Keys HSM Keys HSM Keys Software Keys Keys are hosted on a dedicated H-S-M partition Keys are hosted on a shared H-S-M partition Single tenant H-S-M with higher isolation cryptographic throughput ~3k – 5K TPS for A-E-S Multi-tenant H-S-M with moderate isolation Throughput depends on #of tenants Customers get 10 Vaults by default Supports large #of key versions no hard limit. Customers must request Virtual Private Vault limits. Supports up to 3000 key versions per Vault..

[Audio] K-M-S Capabilities (1/2) Supports both Symmetric and Asymmetric encryption as well as Sign/Verify use cases. AES-GCM, R-S-A and ECDSA Flexibility to create your [Master Encryption] key as H-S-M or Software protected. HSM(default): Keys are stored and processed within the H-S-M while Software Keys are stored and processed on server memory but encrypted at rest with a H-S-M key Bring your own key (B-Y-O-K-) to manage and protect your data in O-C-I Meet your compliance and DR needs – key rotation, auditing and cross-region replication Backup/Restore Centralized key management for most of your O-C-I services DBaaS TDE (ADB-D, ExaCS), Block Volumes, File Storage, Object Storage and others. Audits all key management activity Soft-Delete for Vaults (minimum of 7 days).

[Audio] OCI-Vault Options Feature ‘Private’ Vault Standard Vault H-S-M Isolation Processing Cost $$$$ $ Billing Metric Vault/Hour Key Version.

[Audio] Key Management Pricing and faqs oracle F-A-Q oracle.

[Audio] Thank you. Thank you.

[Audio] Resources KMS Technical Documentation: oracle Software protected Keys: oracle ExaCS with KMS: oracle ADB-D with K-M-S Demo: oracle Asymmetric Encryption: oracle Cross Region Replication (C-R-R--) for keys: oracle.