LAB 23 (Vault Use in OCI Compute) - arunsinghchauhan38-arch/CLOUDARCHITECTDOC GitHub Wiki

Vault Use in OCI Compute

Vault in OCI Compute refers to deploying Oracle Key Vault on Oracle Cloud Infrastructure (OCI) VM instances, enabling secure, scalable, and flexible key management for databases and applications hosted in OCI. It provides encryption key lifecycle management, cluster deployments, and hybrid setups across on-premises and cloud environments.

🔑 What is Oracle Key Vault in OCI Compute?

  • Oracle Key Vault (OKV) is Oracle’s centralized key management solution.

  • In OCI Compute, it is deployed as a VM instance from the Oracle Cloud Marketplace.

  • It manages encryption keys, secrets, and credentials for OCI-based databases and applications.

🚀 Benefits of Using Vault in OCI Compute

  • Quick Deployment: Launch directly from Oracle Cloud Marketplace without hardware procurement.

  • Scalability: Supports standalone, clustered, and hybrid deployments (cloud + on-premises).

  • Flexibility: Same look and feel as on-premises OKV, but cloud-native.

  • Security: Centralized key lifecycle management (generation, rotation, expiration).

  • Integration: Works seamlessly with Oracle Database Transparent Data Encryption (TDE) and other OCI services

Steps to Create Vaulte

1. Go to Indentity & Security and Click on Vault under the Key Management

2. Select the Compartment Hub_Compute_and_storage_compartment and click on Create Vault

3. Give the Name of Vault and click on Create Vault

Note :- Into the Create Vault a option Named Make it a virtual private vault available to make the vault virtual. Virtual Vault also work in other region as well as same region.

Steps to Create Encryption Key in Vault

1. Go to Created Vault and click on Created Vault ""Test_vault" and click on "Master encryption keys" and after click on "Create key"

2. In Protection Mode select "Software" , In Key Shape Algorithm select - "AES (Symmetric key used for Encrypt and Decrypt)", In Key Shape length select 256 bits. and click on create.

🔑 Key Protection Modes in OCI Vault

1. Software-Protected Keys

Storage: Keys are protected using software within OCI Vault.

Security Boundary: Relies on OCI’s operating system and application-level protections.

Performance: Lower cost, easier to provision, suitable for dev/test workloads.

Compliance: Not FIPS-certified; best for non-critical or non-regulated workloads.

Use Cases:

  • Development and testing environments

  • Applications with moderate security needs

  • Cost-sensitive projects

2. HSM-Protected Keys

Storage: Keys are generated and stored inside FIPS 140-2 Level 3 certified HSMs.

Security Boundary: Keys never leave the HSM in plaintext; all cryptographic operations happen inside the hardware.

Tamper Resistance: Physical protections against intrusion or tampering.

Compliance: Meets strict regulatory requirements (finance, healthcare, government).

Performance: Hardware acceleration for cryptographic operations.

Use Cases:

  • Production workloads with sensitive data

  • Compliance-driven industries

  • Applications requiring strong root of trust (SSL/TLS, code signing, payment systems)

Comparison Table

OCI Key Shape Algorithms

In Oracle Cloud Infrastructure (OCI), every key in OCI Vault has a key shape — a combination of algorithm and length that defines how cryptographic operations are performed. Understanding these shapes is essential for designing secure and compliant cloud architectures.

1. AES (Advanced Encryption Standard)

Type: Symmetric encryption

Lengths: 128, 192, 256 bits

Use Cases:

Encrypting data at rest (Object Storage, Block Volumes, Databases)

Fast, efficient encryption/decryption

Notes:

Keys are used for both encryption and decryption.

AES‑256 is recommended for high‑security workloads.

2. RSA (Rivest–Shamir–Adleman)

Type: Asymmetric encryption

Lengths: 2048, 3072, 4096 bits

Use Cases:

Encrypting small data (e.g., symmetric keys)

Digital signatures and certificate management

Notes:

Public key encrypts; private key decrypts.

Larger key sizes increase security but reduce performance.

3. ECDSA (Elliptic Curve Digital Signature Algorithm)

Type: Asymmetric (elliptic curve)

Curves Supported: P‑256, P‑384, P‑521

Use Cases:

Digital signatures

Lightweight cryptography for mobile and IoT

Notes:

Provides strong security with smaller key sizes.

Ideal for performance‑sensitive applications.