Fortanix DSM - Oracle Cloud Infrastructure Cloud Native Key Management

  • Updated on Nov 10, 2025
  • 7 minute(s) read
Prev Next

1.0 Introduction

This document describes how to perform native key lifecycle management in Oracle Cloud Infrastructure (OCI) using Fortanix Data Security Manager (DSM).

The Fortanix solution for OCI offers Cloud Native Key Management Service (CNKMS), as explained in this guide, as well as Bring Your Own Key (BYOK) with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, Bring Your Own Key (BYOK), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

3.0 Fortanix OCI Vault CNKMS Workflows Overview

  • Rotate: Rotate the key that was originally generated in OCI by navigating to it in the OCI CDC group. Otherwise, if the source is "Fortanix DSM", refer to Fortanix DSM - Oracle Cloud Infrastructure BYOK (Bring Your Own Key).

  • Disable/Enable: Navigate to the detailed view of the key in the OCI CDC group and disable or enable it from Fortanix DSM.

  • Schedule Key Deletion: OCI will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the OCI CDC group, and in the OCI KEY DETAILS tab, schedule the key for deletion.

4.0 Fortanix DSM OCI KMS Security Objects

4.1  Sync Keys

Perform the following steps to sync the OCI keys as virtual keys in the OCI-backed DSM group:

  1. Go to the OCI CDC group detailed view.

  2. Click the HSM/KMS tab.

  3. Click the SYNC KEYS button to import the new virtual keys.

Fortanix DSM will then connect to OCI Vault, fetch all available keys, and store them as virtual keys.

NOTE

  • Currently, Fortanix DSM supports syncing RSA (RSA_2048, RSA_3072, and RSA_4096) and AES (AES_128, AES_196, AES_256) keys from OCI Vault into Fortanix DSM. But if your OCI Vault already contains ECDSA keys, the SYNC KEYS operation will synchronize them into Fortanix DSM as virtual keys.

  • When keys are synced with OCI KMS, the metadata of the existing keys for the configured OCI Vault and region are downloaded and represented as virtual keys. The actual key material for those keys is always stored in OCI Vault.

  • Clicking SYNC KEYS only returns the keys from the OCI Vault that are not already present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.

  • The time taken to sync keys from the OCI Vault to Fortanix DSM is a function of the number of keys in the OCI  Vault and the network latency between the Oracle Cloud region  and Fortanix DSM. It can take several minutes if there are hundreds of keys and significant network latency.

4.2 Attributes/Tags Tab

You can add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata and correspond to the “free-form tags” on an OCI key

4.3 OCI Key Details

This tab displays key information retrieved from OCI, such as key ID, key version details, key name, and protection mode of the key currently linked to the OCI CDC group.

4.4 Security Objects Table View

After you add new OCI keys, navigate to the Security Objects menu item to view all the security objects from all the groups (Regular Fortanix DSM and HSM/External KMS).

In the table, you will notice that every key belongs to a group and some keys, which are virtual keys added from an OCI Vault, belong to a group with a special symbol . The table shows all keys, whether they belong to an OCI CDC group or not.

4.5 Schedule to Delete a Key in OCI KMS

When you schedule a key version for deletion in OCI KMS from Fortanix DSM, OCI KMS marks the selected key version for deletion and permanently deletes it after the configured waiting period.

Perform the following steps to schedule key deletion from an OCI KMS:

  1. Navigate to the Security Objects menu item and go to the detailed view of an OCI virtual key and select the OCI KEY DETAILS tab.

  2. Click the SCHEDULE KEY DELETION link button.

  3. In the Schedule Key Deletion in the OCI Vault window, enter a waiting period (in days) to confirm if the OCI key is still needed, ensuring the value falls between 7 to 30 days only.

    NOTE

    Data encrypted with the key becomes unusable once the key is deleted.

  4. Select the confirmation “I understand that the data encrypted with the object can no longer be used once the object is scheduled for deletion.” checkbox.

  5. Click the SCHEDULE KEY DELETE button to mark the key for deletion.

NOTE

  • If you delete an OCI key container using Actions Delete Key, all key versions are set to the “Pending deletion” state. Fortanix DSM does not allow cancelling the deletion of these key versions. To retain the ability to cancel key deletion in DSM, always delete individual key versions from the OCI key container.

    Figure 1: Delete OCI Key Container

  • If the key version is the current active version, it cannot be scheduled for deletion. Only older key versions can be scheduled for deletion in OCI.

  • You can cancel the key deletion at any time before the waiting period ends using the CANCEL KEY DELETION IN OCI link at the top of the screen in the detailed view of the OCI virtual key

  • For more information on key deletion scheduling limitations, refer to Fortanix DSM - Oracle Cloud Infrastructure Troubleshooting.

5.0 Rotate a Key in OCI CDC Group

The following section elaborates on key rotation in an OCI CDC group. A key rotation occurs when you aim to retire an encryption key and substitute it by importing or copying a new cryptographic key.

5.1 Rotating OCI Native Key* with Another Native Key

*Native key is one where the key material was generated by OCI Vault.

When you rotate a virtual key in an OCI KMS group, the action will rotate the key inside the OCI Vault by generating another new version of the key within the configured OCI Vault.

Perform the following steps to rotate a key in OCI Vault:

  1. Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of an OCI virtual key and click the ROTATE KEY button.

  2. In the KEY ROTATION window, the Generate new key radio button is selected by default.

  3. Select the ROTATE KEY button to rotate a virtual key.

  4. On the next screen, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.

A new rotated key is now generated.

You can schedule a key rotation policy for the Fortanix DSM virtual key to automatically and periodically rotate the OCI keys.

Perform the following steps to schedule a key rotation policy for the virtual key key:

  1. Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of a OCI virtual key.

  2. In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.

  3. Enter the key rotation schedule by specifying the rotation frequency, start date, and time.

  4. Click the SAVE POLICY button to save the policy.

  5. On the next screen, select both check boxes to confirm your understanding about the action. Click the PROCEED button.

For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

5.2 Rotating OCI Native Key to Fortanix DSM Owned Key

When an OCI KMS virtual key whose key material is owned by OCI Vault is rotated, you are given the option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key version is created as a new key version under the existing OCI Vault virtual key with the corresponding key in OCI KMS, which has the key material of the Fortanix DSM-backed key and becomes a BYOK key.

Perform the following steps to rotate a virtual key with Fortanix DSM-backed key:

  1. Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of an OCI virtual key and click the ROTATE KEY button.

  2. In the Key Rotation window, the Generate new key radio button is selected by default.

  3. Select the Rotate to DSM key check box.

  4. Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menu.

    NOTE

    • Ensure that the OCI virtual key has the same permissions as the selected Fortanix DSM source key.

    • The source key must have the Export permission and must be the same key type as the OCI virtual key (for example, both should be RSA keys or AES keys).

  5. Click the ROTATE KEY button.

  6. On the next screen, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.

The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated OCI virtual key and click the OCI KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.

6.0 OCI Vault Group Setup and BYOK

For more information on how to set up an OCI Vault-backed group in Fortanix DSM, refer to Fortanix DSM - Oracle Cloud Infrastructure CDC Group Setup.

For more information on how to perform BYOK key lifecycle management in OCI Vault using Fortanix DSM, refer to Fortanix DSM - Oracle Cloud Infrastructure CDC BYOK (Bring Your Own Key).

Related articles