Oracle Cloud Infrastructure (OCI) offers secure and flexible options for managing encryption keys and sensitive data. But with multiple vault types available, how do you know which one is right for your needs?
This guide will help you understand the differences between keys and secrets, explore the vault types available in OCI and choose the right option based on your specific requirements.
Keys vs. Secrets: What’s the Difference?
Before picking a vault, it’s important to know what you’re storing.
– Keys are cryptographic objects used to encrypt and decrypt data. They can be symmetric or asymmetric and are stored in hardware security modules (HSMs) for strong protection.
– Secrets include sensitive values like passwords, tokens and certificates. Secrets are not stored in HSMs, but their content is encrypted using a master key from the vault. This provides a secure and cost effective way to manage application secrets.
OCI Vault Options
OCI provides several key management services, each designed for different use cases:
Virtual Vault (Default)
– When to use: Most general purpose needs
– Why: Cost effective and secure by default. It uses a multitenant HSM but still meets strong compliance (FIPS 140-2 Level 3).
Virtual Private Vault
– When to use: You need stronger isolation or performance
– Why: Offers a dedicated HSM partition with dedicated processing. Ideal for high-security or regulated workloads.
Dedicated KMS
– When to use: You need complete control of your own HSM environment
– Why: Gives you ownership of a single tenant HSM. Useful when you need to integrate with custom security systems.
External KMS
– When to use: You need to keep your master keys outside of OCI
– Why: Allows you to use a third party key management system. Encrypt and decrypt operations happen outside OCI, giving you full control of your keys.
Software Keys vs. HSM-Backed Keys
OCI also supports software keys, which are master encryption keys protected by software and stored on a server. These keys can be exported to perform cryptographic operations on the client rather than on the server. While at rest, they are encrypted by a root key stored on the HSM, adding an extra layer of protection. Software keys are FIPS 140-2 Level 1 compliant, making them suitable for development environments or workloads with lower security requirements.
For production environments or handling regulated data, HSM-backed keys in a vault are recommended due to their stronger, hardware-based protection and non-exportability.
What About Secrets?
Secrets are supported in all vault types but are commonly used with the default Virtual Vault. Since secrets are not stored inside the HSM, using the cost effective Virtual Vault makes sense for most workloads.
Quick Comparison Table
Here is a simple table to help decide which option fits your needs
| Option | When to Use | Key Features |
|---|---|---|
| Virtual Vault | General-purpose, cost-sensitive workloads | Multitenant HSM, FIPS 140-2 Level 3, cost-effective |
| Virtual Private Vault | High-security or regulated environments | Dedicated HSM partition, higher cost |
| Dedicated KMS | Full control and advanced crypto integration | Manage HSM partitions and admin users directly, PKCS#11 support |
| External KMS | Regulatory need to store keys outside OCI | customer-owned HSM |
For most teams, the default Virtual Vault offers the right balance between cost, security and ease of use. If your organization requires higher isolation, regulatory compliance or external key control, other vault options are available to meet those needs.
For more details on key types, vault configurations and OCI’s key management capabilities, refer to Oracle’s official Key Management FAQ