[SOUND] In this particular demo, we are going to take a look at the OCI vault service in action. So let's get started. To bring up those rewards service, click on the service navigation menu on the left hand side, click on identity and security and award is right here. So the first thing you need to decide, is you need to choose a compartment. We have been using the sandbox compartment, and you need to create a vault. So let's take vault here, compartment sandbox is fine, and we could call this as Because sport as a world one, and right here I can choose to make it a virtual private world. I'm going for a standard or default world. The differences if I choose the Virtual Private vault, this gets me a dedicated partition on the HSM The pricing is more expensive and we discuss this in the theory lesson. So I'm okay with creating standard chord and rewards would take a few seconds and it would get created. And as once the vault is created, we'll come and create master encryption keys. And then what we'll do is we'll take some plain text, and then we'll show how encryption and decryption works. And we will use the OCICLI to run this operation. And if you head over to the OCICLI documentation. You can see the details. We are going to use encrypt and decrypt operation. And you can see the syntax here in the encrypt operation and similar syntax on decrypted. So as soon as the vault is created, we'll go and we'll run this particular demo. Alright, looks like the vault is created. And the first thing I want to show here is it says Virtual Private, no standard vault or a default vault. And then you see these two endpoints. Now one thing to keep in mind is the vault service is a public service. You can see these two URLs. And if you hover over those, it shows you that the cryptographic endpoint is used for cryptographic operations as you can guess, what are these encrypt, decrypt, generated encryption keys etc. Management endpoints are for management operations. So things like create update list. Operations right so these two endpoints and we'll be using the cryptographic endpoint in as part of our demo. So let's go ahead and create a master encryption key. And we'll name this key as master encryption key one. And right here you can see that there are two kinds of production modes one is HSM and the other is software. When you choose HSM, your keys are stored on the HSM and cannot be exported. From that HSM, all cryptographic operations involving the key also happen on the HSM in case of software That's not the case. The keys are stored on a server and can be exported from the server to perform cryptographic operations on the client instead of on the server. So that's the big difference, and you pay more for HSM. So we'll choose software here. And I can change the T shaped 256 which is good. And I'll just hit and create key here. This again should take a few seconds and the master encryption key would be created. All right, so it looks like the vault and the master encryption key are created. As you can see here the most encryption key I would need the offset from the master encryption key. And then I would need the cryptographic endpoint from the wall to run the encryption and decryption operation. So let me just bring up cloudshell here. A little bigger. And what we are going to do is we are going to convert this plain text into ciphertext and then we are going to look at the cipher, we take the cipher text and we'll decrypt it back to plain text. Now one thing to keep in mind is we are doing a base 64 In quoting here, and if you go on to the OCLC law you can see the usage listed here and it says we need to the plain text we are using using the example needs to be converted to base 64 needs to be base 64 encoded. If you don't do that, you will not get the right result. And if you just want to see what we just did with plaintext here, echo this thing. And you can see that it's basically the plain text, which we just did a base 64 in coding. And if I just Show you really quickly if I decode this you can see that it's back the same text we use the plain text view. So we took the plain text database 64 encoding of that, and that got me this operation. And then if I use the base 64 decoding, I could see the same information. So we have the no kind of Encryption or decryption operation right now. Now I have the script here just to make it quicker. Instead of typing the whole big script, let me just run it. And I'll explain to you what's going on here. So if I come to the Cloud Shell, and I just paste it, paste this. What I'm trying to do here is I'm running the CLA. And the KMS crypto operation. And specifically I'm doing encryption here. Plain Text is the plain text which says let's look at those UI KMS demo base 64 encoded. And the two information the two pieces of information I need. One is the key ID. That's the offset for the master encryption key, and then I need the cryptographic endpoint. And now what this is going to do is it's going to run the encryption. And it's successful and return this value. And if I do the echo the encrypted text value, It depends, I can see that this is the it returns me this ciphertext. Now I need to get this ciphertext, out from this sort of the JSON result which sealine returns and I put it in the encrypted text, string. So to do that, I have a quick Script here and let me just, Do that you can see if I go to ciphertext, You can see that this is my cipher text. Now, if we started with this kind of plain text For the encryption operation we have converted into this ciphertext. Now, if anyone tries to sniff on it, they cannot find it useful because looking at this kind of jibberish text, they cannot figure out that it basically is the same plain text That's the power of encryption. That's how you would encrypt. Now we need to do decryption because on the other side, if somebody wants to read that information, they would need to do the decryption operation. So again, I have the text here. Let me just paste it here to the screen, but actually leave the screen be there. And if I paste it here, you can see that I'm running the decryption operation here and looks like there is some error. Let me just go back and make sure that I'm using the right is. Looks like I'm not using the right key. So that's right. Give me an error. So let me just be security liquidity. You have to make sure that you're using the right key version, the right offset, and this operation should work fine. And as you can see, this works perfectly fine. And if I see my decrypted text now You can see that it returns again a JSON and there is the plain text here but this is not the plain text which is says let's look at the OCI KMS demo. Why is that? Well, this is base 64 encoded so we need to decode it. We should be able to see that text or even a text And so we picked this particular plaintext which is base 64 encoded. So we picked that put that in the base 64 encoded plain text. And now, we just simply need to change it back to decoded, and this should be this should give us our Original text and you can see here that we can get the original texture right. So just to recap, we took a plain text, we did base 64 encoding on that. And then we ran the interruption operation And we encrypted that data and that gives us this ciphertext. And basically we collected that ciphertext, and this is that ciphertext. Now if anybody gets hold of it, they cannot figure out that it means let's this plain text let's look at this was a kms demo. So this is the ciphertext. We took that ciphertext and we ran a decrypt operation on that. And it's similar to encryption. The decrypt operation is Okay, kms decrypt. And the two pieces of information we need is the key ID Said we had given a wrong one here so it didn't work. And we need the endpoint, the cryptographic endpoint. And then of course, we need the ciphertext here. Like for encryption, we needed to plaintext Now we need the ciphertext and all this is base 64 encoded. And so it returns this bit JSON. And this is the plain text, it returns, again, base 64 encoded. So running this particular command, we took out, we ran a query, and we took out this portion of the string from that query and then we decoded that. Particular string, and then we get original plaintext back. So this is a very quick demo of how encryption and decryption can work using the OCI.KMS CLA. I hope you found this demo useful.
