[MUSIC] In this particular lesson we are going to dive deeper into the OCI Vault Service. So the major components of the OCI Vault Service are vaults, keys and secrets. What are logical entities where the vault service creates and durably stores keys and secrets. Key is the cryptographic material used to encrypt or decrypt data. So in an encryption process, it takes plain text and converts that into ciphertext. And then it transforms that ciphertext into plain text during decryption process. That's how simple explanation of keys. Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you can use with the OCI services. Instead of storing these secrets in your code or configuration file, it's a best practice to store them in OCI wallet. And you can retrieve them as as in when needed. Now there are two kinds of words as you can see here with the keys. One is called Virtual Private port. And then the second one is called a Standard Vault, or a Default Vault. The type of words you choose determines the degree of isolation and performance for your keys. You also see this Phipps information here. So key management uses hardware security modules also referred to as HSMS that meet FIPS which stands for Federal Information Processing standards and there are levels in that. So the particular level we adhere to is 140-2 security level three certification so the multiple kind of certification. This is really a stringent one sort of the most stringent want to protect your keys. Now when you actually create the keys, you can decide whether you want to protect these keys by the HSM. The hardware security module or you want to protect them by software. And we'll look into what that means. As you can see here, customer managed encryption. Basically what that means is it's offered by the OCI Vault where the customer controls and manages the keys that protect their data. And as you can see here that various services are supported, the storage services. There are a couple of database services supported streaming Kubernetes and Oracle. Container engine and there are other services which are going to be supported as well in the future. So what are these two storage options we talked about just in the previous slide. So first thing you see here, there is a virtual private vault. In a standard world or a default world, so virtual private vault provides dedicated partition on the HSM. And sort of this think of this as a single tenant model. And what is a partition? A partition is a physical boundary on the HSM which is isolated from other partitions. So that's why you see isolation here. This sort of, it's a full circle here full complete, meaning it's the highest level of isolation. The default vault uses a multi tenant partition. So that's what you see here. And it has a moderate level of isolation. Now this the type of wallet you choose also determines the pricing as you can see here and the billing matrix, software protected keys are free. But when you decide to protect the keys using HSM, there is a charge for that. And you should always look up pricing what's the latest pricing on that? So even for this standard word, there can be a price depending on whether you choose the software or the HSM. If you choose software, everything here is free the vault is free, the cost for the keys is free. But if you decide to choose award and you protect the keys using HSM, you pay a nominal fee on that. And I think the billing is based on the number of key versions now, if you create a private vault. You pay on a per hour basis vault per hour and that again, you should check what that cost is. But in this case, you're not paying for key versions anymore because you're paying for the board. So again, just a quick overview of the differences between the private virtual vault and the standard vault. So, what are the things you can do in the key management space? Well, first thing is you create the vault and we'll go through a demo. We'll, go through this in a demo. So, what are logical logical entities where the service vault my wallet service. The key management service creates and durably store your keys as we discussed, and then you create these master Encryption keys inside your wallet. Now when you create a master encryption key you can have two protection modes software or HSM. What's the difference, when master encryption keys are protected by an HSM, they are stored in an HSM and cannot be exported. From the HSM, all the cryptographic operations meaning encrypt, involving the key also happened on the HSM, a master encryption key protected by software. As you can see here, listed software is stored on a server and can be exported from the server to perform cryptographic operations on the client instead of on the server. But keep in mind while at data trust, the software protected key is encrypted by a root key on the HSM. So, definitely leverage is that but the main differences in an HSM protected keys. Those keys cannot be exported from the system itself right to provide you The highest level of security and protection, so that's what you see here. The production mode is software and again, we'll go through this in a demo. When you create a key, you choose your production mode, as it is indicated here HSM or software. And then key management supports Advanced Encryption Standard Algorithm and key sizes you can choose 128, 196, or 256 bits. There's also this concept of key rotation. And as you can see here, it's pretty straightforward. You create a key and then you can rotate a key. Well, why would you do that? Well, before we get into that each master encryption key is automatically when you create a key it's assigned a key version. When you rotate a key, service generates a new key version and we'll look into this. Periodically rotating key limits the amount of data encrypted by one key version. So why would you do it? Well, you will do it to reduce the risk of a compromised key. You don't want all your data to be encrypted by a single key, for example, it's a good best practice to rotate keys on a periodic basis. And as you can see here, when you do that, when you rotate the keys, it's pretty straightforward. And the key version is new key version gets created. But keep in mind the keys unique or said, which you said is sort of not shown here. I'll show in in a demo. That remains the same across rotations. But the key version, as you can see here changes it's a unique offset for depending on the version that enables the service to seamlessly rotate keys. Now keep in mind you cannot use an older key version for encryption. After you rotate it, but the key version remains there to decrypt any data that it previously encrypted. So if this was the old version, it doesn't mean that if the data was encrypted with this version. It doesn't mean that automatically it gets re encrypted, but this version stays. So if you, if you encrypted some data with this universal. You could decrypt it with because this version stays there. What are the design consideration? Key Management is vault is a regional service. There's a key replication which we take care of, as we discussed the storage services Container Engine Streaming. Our integrated, autonomous container databases on dedicated autonomous accelerator infrastructure. As well as Exadata DB systems. And there are some limitations you should always check the documentation on that are supported today as well. Key rotation we just quickly looked at that rotating a master key does not have any impact on the data already encrypted. We talked about that. Customers can continue to decrypt data using an older master key version. We just talked about that any subsequent encrypt or decrypt operation after the rotation would use the latest version of the master key, right? I mean that's the whole point of why you would create a you rotate keys and create new versions. Some other considerations as we discussed earlier, it's a good best practice to rotate your keys. If you feel that your master key has been compromised. You can re force ring corruption of all data protected by that key Create you know, rotate the key, create a new version. And then delete the the prime key version, right that makes rotation is pretty seamless. And this makes life much easier. You can force this interruption. One thing to keep in mind is you can delete a word, it doesn't get deleted automatically. You can schedule it and there's a waiting period anywhere from seven to 30 days. After that waiting period is over, all the walls and the keys and secret are deleted. After the vault is deleted, it cannot be recovered. So it's a good best practice to do backups. So hopefully, this was a quick deep dive on key management. And we just covered specifically key management in this particular lesson.
