Nuts and vaults of Oracle Object Storage with customer-managed keys
Object storage is a common medium for images, video, and other unstructured files. However any content stored in Oracle Object Storage bucket will need to be encrypted.
There are 2 options for encrypting your files:
- Encrypt using Oracle managed keys.
- Encrypt using customer-managed keys.
The quickest and least fuss object storage is to use Oracle managed keys, as encryption matters will be managed for you in the background.
And perhaps Oracle managed keys is the most favoured for your particular use-case.
The other way for object storage is to use customer-managed keys. This way involves using your own:
- vault
- master encryption key
This method may be better if you intend having separate keys for, say, production and development files. In that case, you will be able to rotate the keys independently.
Overview
The vault and master encryption key needs to created before the Oracle Object Storage bucket.
So the steps for an Oracle Object Storage bucket using a customer-managed key are:
- create a compartment.
- create a vault for the compartment.
- create a master encryption key for the vault.
- create an object storage bucket using the master encryption key.
Oracle Cloud Shell
Before we begin, it can be convenient to setup the Oracle Cloud Shell.
If using the Oracle Cloud Shell, then you may have an ~/.oci/config already. If it doesn’t already exist, then create an ~/.oci/config like this :
oci setup configThis command prompts you for the information required to create the configuration file and the API public and private keys.
Go through the prompts, and then afterwards check the contents of the ~/.oci/config file that is created.
less ~/.oci/configYou should see environment variables such as user, key_file, and tenancy.
Create a compartment
Need a compartment to contain the vault, key, and object storage. We’ll create a new compartment named ‘objectstorage’.
mkdir tf-objectstorage
cd tf-objectstorageThen create a new Terraform file.
vim compartment.tfInput the following configuration.
# Note: compartment_id referenced below is the root compartment of the tenancy
resource "oci_identity_compartment" "tf-compartment" {
# compartment_id = the root compartment
compartment_id = "ocid1.tenancy.oc1..<etc>"
description = "Compartment for Object Storage resources."
name = "objectstorage"
}Now orchestrate with Terraform.
terraform init
terraform plan
terraform applyNow we have a compartment named objectstorage, and you can query all your compartments like this:
oci iam compartment list
Create a vault
Create a vault in the compartment we just created.
A virtual private vault is an isolated partition on a hardware security module (HSM). Vaults otherwise share partitions on the HSM with other vaults.
Note1 — Currently, the only type of vault you can back up is a virtual private vault.
Note2 — You cannot back up master encryption keys protected by software. You also cannot back up secrets.
Now create the vault.
# setup some environment variables as shown in the console
compartmentid='ocid1.compartment.oc1..<etc>'
displayname='testvault'
vaulttype='default'
# now create the vault
# oci kms management vault create --compartment-id <target_compartment_id> --display-name <vault_name> --vault-type <vault_type>
oci kms management vault create --compartment-id $compartmentid --display-name $displayname --vault-type $vaulttypeImmediately, you’ll be shown some JSON with some initial details of the vault. However in the background, the vault will be created and take less than a minute to complete.
View the details of the vault in the cloud console.
Or view the details of the vault from the command line.
# setup some environment variables as shown in the console
vaultid='ocid1.vault.oc1.ap-sydney-1.<etc>'
# oci kms management vault get --vault-id <target_vault_id>
oci kms management vault get --vault-id $vaultidNote — A type of encryption key that comes included with each vault by default is a wrapping key.
Create a master encryption key
Now create a master encryption key for the vault — but no instructions for CLI, so use the console instead:
Note1 — Keys can exist outside the compartment the vault is in.
Note2 — for our use case, for the protection mode choose ‘software’.
The master encryption key will take a few seconds to create.
Now show the details of the master encryption key from the command line:
# setup some environment variables as shown in the console
keyid='ocid1.key.oc1.ap-sydney-1.<etc>'
managementurl='https://<etc>-management.kms.ap-sydney-1.oraclecloud.com'
# oci kms management key get --key-id <key_OCID> --endpoint <control_plane_url>
oci kms management key get --key-id $keyid --endpoint $managementurlThe master encryption key is enabled by default, but it is possible to enable a key if it was disabled manually.
# only required if the key was disabled previously.
oci kms management key enable --key-id <target_key_id> --endpoint <control_plane_url>Option — import an external key
As an option — for a customer-managed key, when creating a master encryption key for the vault, you’ll have the opportunity to import an external key (AES or RSA algorithm) that you already own.
Create a bucket for the Object Storage
Prerequisite, even for the root user, the ‘use keys in tenancy’ policy is required so set this up in the cloud console.
allow service objectstorage-ap-sydney-1 to use keys in tenancy
You’ll also need the codes for the regions, and they are listed here:
Now create a bucket that is encrypted with a Vault service master encryption key.
# setup some environment variables as shown in the console
bucketname='testbucket'
compartmentid='ocid1.compartment.oc1..<etc>'
keyid='ocid1.key.oc1.ap-sydney-1.<etc>'
# assigns a key to a bucket and creates the bucket named Testbucket
# oci os bucket create --name <bucket_name> --compartment-id <target_compartment_id> --kms-key-id <target_key_id>
oci os bucket create --name $bucketname --compartment-id $compartmentid --kms-key-id $keyidNote — a default bucket will use an Oracle-managed key service.
When created, the details of the bucket will also show details of the encryption key.
Upload a file into the bucket
Now we can upload objects into the bucket from the console.
Select the bucket (and it’s possible to create many other buckets for the same object storage).
Then upload to your bucket from the cloud console as below.
Note: there are no prompts for passwords.
Paul Guerin has presented at some of the world’s leading Oracle conferences, including Oracle Open World 2013. Since 2015, his work has been featured in the IOUG Best Practices Tip Booklet, and in publications from AUSOUG, Oracle Technology Network, Quest, and Oracle Developers (Medium). In 2019, he was awarded as a most valued contributor for the My Oracle Support Community. He continues to be a participant of the Oracle ACE program.
