[MUSIC] In this lesson, let's look at what is OCI Vault service. So OCI Vault is a managed service that lets you centrally manage encryption keys and secret credential. Vault removes the need to store encryption keys and secrets in configuration files or in code. So what are these things called keys and secrets? A key specifies how to transform plain text into ciphertext during encryption, and how to transform cipher text into plain text during decryption. Secrets are credentials such as passwords, certificates, SSH-Keys, or authentication tokens that you can use with Oracle Cloud Infrastructure services. So this particular service lets you centrally manage these encryption keys and credential. The idea is you don't have to store that in configuration files or in code, because that can potentially lead to a security breaches. So that's the central management aspect of keys and secret credentials. Now there are two kinds of protection modes for keys. One is called software, one is called hardware security modules. We have hardware security modules in OCI that meets FIPS-140-2 security level three certification. That's a mouthful. That's kind of a federal standard for some of these HSM modules. But what's the difference between software and these HSM? The master encryption key protected by an HSM is stored on an hardware security module device, and cannot be exported from the HSM, it stays within the HSM. All the cryptographic operations involving the key also happen on the HSM. Meanwhile, a master encryption key protected by software is stored on a server. And therefore can be exported from the server to perform cryptographic operations on the client instead of on the server. So when I say server here, basically it means your compute host or the storage host where the remote storage or the object storage gets stored. So that's the big difference between HSM and managing the keys in HSM, versus managing the keys in software. Now, what are the different kinds of algorithms Vault supports? Let's look into them really quickly. So the Vault service supports AES, RSA, and ECDSA algorithms. What's the difference? AES is a symmetric key algorithm, the same key encrypts and decrypts data. RSA is asymmetric encryption, so the public key encrypts data and the private key decrypts data. ECDSA keys are used in digital signing, but they cannot be used to encrypt or decrypt data. So there are various use cases and various both symmetric as well as asymmetric algorithms supported by this particular service. The keys are integrated with other OCI services. In the next couple of slides, we will look into that. You can rotate your master keys, and that way you don't have to do a complete set of encryption again. And one thing which is not listed on this slide here is the service is a regional service, and it has a public API endpoint that you can use. Now let's look into some of the other basic concepts surrounding using the keys. So in essence, the way Vault operates is called envelope encryption. Think about this as a two-tiered hierarchy for keys. The actual encryption happens with these keys is called data encryption keys. They are used to encrypt customer data. And master encryption keys, actually encrypt the data keys. So you can see on the picture here, there is the master key that is used to encrypt the data key. And so you see that sort of the middle box where the data key is encrypted by the master key. But the actual encryption for storage, let's say it's block storage, or object storage, or file storage, is actually done using the data key. So this kind of two-tiered encryption is called envelope encryption. And you can use IM policies to authorize access to master keys. So not everybody has access to those keys. And you could also do audit logs to monitor all key related activities. So you secure your key Vault, using those things like policies and log audit logs. So, like I said, this is the envelope encryption. What are the benefits? It's easier to manage. Limits the blasts radius. And the fact that you are using master keys, it doesn't generate a complete data re-encryption. Because you could just rotate the master key, you don't have to do the complete data re-encryption here. But one thing to keep in mind is you have to be careful. If the master key is deleted, then there is no way for anyone to recover the data. So that is why we soft delete the keys with a 7-day gap, and you should take requisite backups. The thing to keep in mind is Vault cannot be deleted immediately. You can schedule the deletion by configuring a waiting period, like it says on the slide, anywhere from seven to 30 days. The Vault and all the keys created inside the Vault are deleted at the end of this waiting period. And all the data that was protected by those keys is no longer accessible after the Vault is deleted, keep in mind once a Vault is deleted, it cannot be recovered. So that's why that seven to 30 day period is there by design. Now, let us look at an example of how this works within OCI service. So here you have a Key Vault, and there is a master key in here. You can write policies to manage who has access to these keys. And you could also do audit logs to see who is using these keys. Now, let's look at encryption process and decryption process in the context of object storage. So let's say you have an object in an object storage bucket, you upload some plaintext data there. First thing the service does, and you want to encrypt it. The encryption is actually on by default. You could bring your own keys. If you don't do that, we actually do the encryption by default. So this is showing how the process actually works. So object storage service calls the Vault service and it asks to generate a data key. And the Vault service returns a data key, as well as it returns the data key encrypted with a master key. So that's why you see those two boxes there. Then the object storage takes those keys, that data key, and it does the encryption with the plaintext data key. And then it throws away the data key. But in the bucket, it keeps the encrypted object in the bucket. And it also keeps the encrypted data key with it, right? So you will see why it keeps the encrypted data key. At the time of making a request to decrypt this data, the encrypted data key data and the encrypted data key are stored as you see that in the bucket. So object storage now makes a request to the Vault, and it sends the encrypted data key as part of the request. Vault looks at the encrypted data key, it knows the master key because it is stored inside the Vault. So it strips out the other portion and sends the data key back. Remember this data key is the one which is used for encryption and decryption. Now once you have the data key, you could actually decrypt your plaintext data with this data key. So, this is a bit more advanced for a foundational course, but hopefully you get an idea of how the Vault works. How the two-tiered encryption works. And why it is useful because it limits your blasts radius, and you don't have to do encryption again in case you rotate your keys. Just to recap, Vault is a service which you can use to centrally manage your keys and secret credentials. It has lots of advanced features, we just look at couple of quick examples how envelope encryption works. I hope this lesson was useful. Thanks for watching.
