Encrypting Data using Master Encryption Key

Encrypt data with a master encryption key using either the CLI or the API interface. Note that this operation can't be performed in the OCI Console.

• Console
• CLI
• API

• This task isn't available in the OCI Console.

• Note
  
  You can use either AES symmetric keys or RSA asymmetric keys to encrypt or decrypt data. ECDSA keys don't support vault cryptography required to encrypt or decrypt data. To encrypt data by using an RSA asymmetric key, you must also provide the --key-version-id of the key. To decrypt the data, you must provide the same --key-version-id. The need to track key versions exists because, unlike symmetric keys, an asymmetric key's ciphertext doesn't contain the information that the service needs for decryption purposes.

  Open a command prompt and run oci kms crypto encrypt to encrypt data. If you don't specify an encryption algorithm using the --encryption-algorithm parameter, an AES key is used by default.

  RSA keys: Note that the --encryption-algorithm parameter must be included in the command for RSA keys. To encrypt data with an RSA key, use the following command:

  oci kms crypto encrypt --key-id <key_OCID> --plaintext <base64_string> --endpoint <cryptographic_endpoint> --encryption-algorithm <encryption_algorithm>

  Example 1: RSA key, encryption algorithm RSA_OAEP_SHA_256

  ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrn4j3fyhrx4kttej5hj2lxjfzywwuc7353frutrut2i5cw6fshtwa --plaintext VGVzdA== --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com --encryption-algorithm RSA_OAEP_SHA_256

  Example 2: RSA key, encryption algorithm RSA_OAEP_SHA_1

  oci kms crypto encrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrn4j3fyhrx4kttej5hj2lxjfzywwuc7353frutrut2i5cw6fshtwa --plaintext VGVzdA== --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com --encryption-algorithm RSA_OAEP_SHA_1

  AES keys: To encrypt data with an AES key, use the following command:

  oci kms crypto encrypt --key-id <key_OCID> --plaintext <base64_string> --endpoint <cryptographic_endpoint>

  Example: AES key with AES_256_GCM algorithm

  oci kms crypto encrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrslqbj6uqmbi5w7ystmdli2tbzlam7wqr3qtznlvghjhmw2macsea --plaintext VGVzdA== --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com --encryption-algorithm AES_256_GCM

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the Encrypt operation to encrypt data using the KMSCRYPTO endpoint. This endpoint is also referred to as the cryptographic endpoint in the OCI Console.

  Note
  
  

  Encryption and decryption operations require a cryptographic endpoint that's specific to the vault containing the key you're using. You can find this endpoint in the OCI Console on the Vault Details page, under Cryptographic Endpoint. You can also use the GetVault operation to get the cryptographic endpoint (contained in the cryptoEndpoint field).

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.