Oracle Vault
Oracle Vault provides a secure and reliable Key Management Service (KMS) that can be leveraged to safeguard keys of wallets managed by the Wallet API. This document outlines how to integrate Oracle Vault with the Wallet API and manage keys securely.
If you are new to OCI Vault, make sure to familiarize yourself with the service through the guides available here. The following sections assume that you have knowledge of how Vault works and have already set up and configured a key management service.
Using Oracle Vault with Wallet API
There are two main methods for integrating Oracle Vault with the Wallet API:
- OCI SDK: Utilize the OCI SDK to manage keys in Oracle Vault programmatically.
- OCI REST API: Interact with the OCI REST API to manage keys in Oracle Vault directly.
OCI SDK Integration with Oracle Vault
The OCI SDK provides a convenient way to manage keys in Oracle Vault without the need to interact with the REST API directly.
But you will have to configure the vault for instance principal authentication as you won't be providing any private keys.
Another configuration should be done where you will have to provide the compartment id and the vault id to the Wallet API's oci.conf
file.
Example Configuration :
vaultId="ocid1.vault.oc1.iad.amaaaaaa4q6q6qia7q7"
compartmentId="ocid1.compartment.oc1..aaaaaaaawirugoz35riiybcxsvf7bmelqsxo3sajaav5w3i2vqowcwqrllxa"
OCI REST API - Oracle Vault
With the OCI REST API you can manage keys in Oracle Vault without the need to interact with the SDK directly.
You will have to provide the necessary configuration to the Wallet API to interact with the OCI Vault in the oci-rest-api.conf
.
Example Configuration :
tenancyOcid = "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
compartmentOcid= "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
userOcid = "ocid1.user.oc1..aaaaaaaaxjkkfjqxdqk7ldfjrxjmacmbi7sci73rbfiwpioehikavpbtqx5q"
fingerprint = "bb:d4:4b:0c:c8:3a:49:15:7f:87:55:d5:2b:7e:dd:bc"
managementEndpoint = "entcvrlraabc4-management.kms.eu-frankfurt-1.oraclecloud.com"
cryptoEndpoint = "entcvrlraabc4-crypto.kms.eu-frankfurt-1.oraclecloud.com"
signingKeyPem = """
PRIVATE_KEY_HERE
"""