Oracle Cloud Infrastructure Documentation

Dedicated KMS

Overview of Dedicated KMS.

Dedicated Key Management Service is a fully managed, highly available service that offers a single-tenant Hardware Security Module (HSM) partition. This gives you exclusive access to dedicated partitions within a physical, tamper resistant HSM device to ensure that encryption keys are fully protected and isolated.

In Dedicated KMS, you cryptographically own your HSM partitions with full control over its key generation, storage and usage. The HSM partitions are FIPS 140-2 Level 3 certified, offering the highest level of security for key management. To perform cryptographic operations, the service supports PKCS#11 standard to perform cryptographic operations without the need for any OCI APIs or modules. Dedicated KMS provides HSM clusters in all OCI regions that are are automatically synchronized and are highly available, with a 99.9% availability SLA.

Dedicated KMS offers the following:
  • Provides greater access control by managing not only keys, but HSM partitions and administrative users directly.
  • Heightened control gives you deeper visibility into cryptographic operations and lets you customize the HSM environment to your needs.
  • The use of the PKCS#11 standard for direct interactions with the HSM lets you bypass OCI APIs for more streamlined and efficient cryptographic operations.
  • The service lets you backup and restore HSM keys and users within and across OCI regions.

Supported OCI Services

OCI services including Database, File Storage, and Fusion Applications are integrated with Dedicated Key Management. Customer applications must use standard interfaces such as PKCS#11 to interact with keys in the Dedicated KMS. For example, customers can run PKI applications on OCI Compute instances and create CA private keys within the HSM for signing and verifying identities in the digital world.

Dedicated KMS Terms and Concepts

Term Description
HSM Cluster A cluster is a collection of individual HSM partitions that OCI KMS keeps in sync.
HSM Partition (Dedicated) A single-tenant secure cryptographic enclave within the HSM cluster which is fully isolated for your keys.
HSM Users An HMS user is distinct from IAM users. Unlike an IAM user, an HSM user will use the HSM credentials to access the user management utility to authenticate operations on the HSM because credentials takes place directly on the HSM.
CO Crypto Officer user who can perform user management operations on the HSM partition.
CU Crypto User who can perform key management and cryptographic operations on the key in an HSM partition.
PKCS #11 The PKCS #11 is a cryptographic interface standard also known as Cryptoki. This is one of the public key cryptography standards that defines the interface between an application and a cryptographic device.