---
title: "Oracle Cloud Infrastructure KMS Group Setup"
slug: "fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide"
updated: 2026-04-01T08:05:08Z
published: 2026-03-18T07:10:49Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Oracle Cloud Infrastructure KMS Group Setup

## 1.0 Introduction

This article describes how to set up a Cloud Data Control (CDC) group for Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) group using Fortanix-Data-Security-Manager (DSM).

The Fortanix solution for OCI KMS offers Cloud Native Key Management Service (CNKMS) and Bring Your Own Key (BYOK), and complete lifecycle management and automation of OCI keys and allows users to manage all keys centrally and securely.

This guide will walk you through setting up an OCI CDC group that will be used for both CNKMS and BYOK workflows.

## 2.0 Getting Started with Fortanix Cloud Data Control

*To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to*[*Fortanix DSM - Cloud Data Control - Getting Started*](/v1/docs/fortanix-dsm-cloud-data-control-getting-started)*.*

## 3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. *For more information, refer to*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

## 4.0 Fortanix DSM OCI CDC Group Setup

### 4.1 Create an OCI Vault

Before connecting Fortanix DSM to OCI, ensure that a Vault is already set up in your Oracle tenancy to hold DSM-managed keys.

1. Log in to the [Oracle Cloud](https://cloud.oracle.com/) console and navigate to **Menu** → **Identity & Security** → Vault → **Vaults**. *For more information on how to create Vaults in the Oracle Cloud console, refer to the*[*official Oracle Cloud documentation*](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults_topic-To_create_a_new_vault.htm)*.*

> [!NOTE]
> NOTE
> 
> Each Vault resides within a specific **Compartment**and **Region**. Ensure that the same values are configured later in the OCI CDC group in Fortanix DSM.
2. Select the Vault that you want Fortanix DSM to manage.
3. Click **SAVE**to store the settings.

### 4.2 Retrieve OCI Values for Fortanix DSM Integration

Before configuring the OCI CDC group in Fortanix DSM, obtain the following values from the Oracle Cloud console.

#### 4.2.1 User OCID

Every user in OCI has a unique OCID. Fortanix DSM uses this identifier to authenticate the user and perform operations in OCI.

Perform the following steps to retrieve the User OCID:

1. In the OCI console, click your **User Profile**icon in the top-right corner.
2. Select**User settings**.
3. On the **User information**page, copy the value of the **OCID**field.

#### 4.2.2 Region

Each OCI deployment resides in a specific region. Fortanix DSM requires the region identifier to communicate with the appropriate OCI Vault endpoint.

Perform the following steps to retrieve the Region identifier:

1. In the Oracle Cloud console header, click the **Regions**drop down list.
2. Select **Manage regions**. A list of all available regions appears.
3. Copy the **Region identifier**corresponding to the active region.

#### 4.2.3 Tenant OCID (Compartment OCID)

A compartment is used to organize and manage resources in OCI. If you do not already have one, refer to the [*official Oracle Cloud documentation*](https://docs.oracle.com/en-us/iaas/Content/Identity/compartments/To_create_a_compartment.htm) to create a compartment.

Perform the following steps to retrieve the Compartment OCID:

1. In the Oracle Cloud console search bar, type **Compartments** and press **Enter**.
2. Select the required **Compartment**from the results.
3. In the **Details**tab, copy the value of the **OCID** field.

### 4.3 Configure an OCI CDC Group

After obtaining the OCI values, perform the following steps to create an OCI CDC group in Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups******menu item, and then click **ADD GROUP******to create a new group.
2. On the **Adding new group** form:
  1. Enter a **name**and **description** for the group.
  2. Click **LINK HSM/EXTERNAL KMS** to select the OCI KMS as the external KMS type, so that Fortanix DSM can connect to it.
  3. Select **OCI Vault** from the drop down menu.
  4. On the **Configure as HSM/External KMS group** form:
    - **Region**: Enter the region where your OCI Vault is deployed, as copied in [*Section 4.2.2: Region*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#422-region).
    - **Tenant ID:** Enter the OCID of your OCI tenancy as copied in [*Section 4.2.3: Tenant OCID (Compartment OCID)*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#423-tenant-ocid-compartment-ocid).
    - **User ID**: Enter the OCID of the OCI user, as copied in [*Section 4.2.1: User OCID*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#421-user-ocid).
    - **Compartment ID**: Enter the OCID of the compartment where your OCI Vault resides, as copied in [*Section 4.2.3: Tenant OCID (Compartment OCID)*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#423-tenant-ocid-compartment-ocid).
  5. In the **Authentication**section, click **GENERATE API KEY** to create a new key pair in Fortanix DSM. If you are an existing user, you can also select an existing key pair from the **API Key** drop down list to configure the signing key in OCI.
  6. Once the public key is created in the text box below, click the copy ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2377).png) button to copy the public key, and then log in to the Oracle Cloud console and follow the steps in [*Section 4.4: Configure OCI API Key*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#44-configure-oci-api-key) to register it.
3. Click**TEST CONNECTION** to test your OCI KMS connection. If Fortanix DSM connects to OCI using the provided OCI credentials, then it shows the status as “Connected” with a green tick ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360082238652(4).png) and fetches the Vault details associated with the provided OCID. Otherwise, it shows the status as “**Not Connected**” with a yellow warning sign ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1811)(1).png).
4. Click **SAVE** to store the configuration securely in Fortanix DSM.

### 4.4 Configure OCI API Key

Perform the following steps to configure the API key and register it in OCI Vault for key-based authentication:

1. Log in to the [Oracle Cloud](https://cloud.oracle.com/) console.
2. In the upper-right corner of the screen, click your **User Profile** icon and select **User settings**.
3. In the **Tokens and keys** section, click **Add API key**. This allows Fortanix DSM to establish a secure connection to OCI Vault using key-based authentication.
4. In the **Add API key**window, select **Paste a public key** and paste the public key as copied in *Step 2(f)*of [*Section 4.3: Configure an OCI CDC Group*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#43-configure-an-oci-cdc-group). *For more information on API keys limitations, refer to*[*Fortanix DSM - Oracle Cloud Infrastructure Troubleshooting*](/v1/docs/fortanix-data-security-manager-oracle-cloud-infrastucture-troubleshooting-)*.*
5. Click **Add**to register the key. Oracle Cloud generates and displays the following information:
  - **Fingerprint**: The unique identifier of the uploaded public key.
  - **Tenant OCID**: The Oracle tenancy identifier associated with your account.
  - **User OCID**: The unique Oracle Cloud user identifier.
  - **Region**: The geographic region where your OCI Vault resides.

Once the key is created, return to the Fortanix DSM UI and click **Test Connection**to validate the configuration.

> [!NOTE]
> NOTE
> 
> After uploading the public key, it may take a few minutes for the change to reflect and show a "success" status in Fortanix DSM.

### 4.5 Not Connected Scenario

When you click the **TEST CONNECTION**, it is possible that Fortanix DSM is not able to connect to the OCI. If that happens, it displays a “**Not Connected**” status with a warning symbol ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1811)(2).png) . You can save the details of the new connection provided and edit them later.

### 4.6 HSM/KMS Tab

The group details now include an **HSM/KMS**tab displaying information about your KMS.

The **HSM/KMS**tab displays the **Region** and**Compartment ID** for the configured OCI Vault. The section also displays the **Credential ID**and **Public half of API Key Pair (upload to OCI)**information and **ROTATE API KEY PAIR NOW** to rotate the API key pair in the **Authentication**section. *For more information on how to rotate the API key pair, refer to*[*Section 4.6.1: Rotate API Key Pair*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-group-setup-guide#461-rotate-api-key-pair)*.*

You can click **EDIT** to update the configuration or **DELETE HSM/KMS**to remove the OCI Vault mapping.

After editing and saving, click **TEST CONNECTION**to check the connection.

Click**SYNC KEYS** to fetch or refresh keys from the Oracle Cloud console. During synchronization, Fortanix DSM shows “**Scanning for keys**” to retrieve any new keys created at OCI side.

#### 4.6.1 Rotate API Key Pair

You can rotate the Oracle API key pair used to authenticate Fortanix DSM with OCI Vault. This replaces the existing RSA key pair with a new one and requires the updated public key to be uploaded to the user’s OCI profile.

Perform the following steps to rotate the API key pair:

1. In the OCI CDC group detailed view, navigate to the **HSM/KMS**tab.
2. Click **ROTATE API KEY PAIR NOW**.
3. Fortanix DSM generates a new RSA key pair and updates the credential in the OCI CDC group.
4. Copy the new **Public half of API Key Pair (upload to OCI)**value using the copy ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(136).png) button.
5. Log in to the Oracle Cloud console and navigate to **User settings**→ **API Keys** and paste the new public key to register it.
6. Once the public key is uploaded, return to Fortanix DSM UI and click **TEST CONNECTION** to verify the updated credential.

> [!NOTE]
> NOTE
> 
> - After rotation, the old key pair becomes inactive. You must upload the new public key to OCI before performing any further BYOK operations.
> - After performing the rotation, if you **do not** upload the new public key to OCI, the connection test or any subsequent BYOK operation will fail with the “**The required information to complete authentication was not provided or was incorrect**” error.

### 4.7 Groups Table View

After saving the group details, you can view the list of all groups and notice the special symbol ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1812)(1).png) next to the newly created group. This symbol indicates that it is an OCI CDC group, distinguishing it from other groups.

### 4.8 User’s View

Navigate to the **Users**menu item in the DSM navigation panel and click the user that says “**You**” on the **Users**page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to OCI KMS, displaying their status as "connected" or "not connected."

## 5.0 Oracle Cloud Infrastructure Group BYOK and Cloud Native Key Management

*For more information on how to perform BYOK key lifecycle management in OCI using Fortanix DSM, refer to the*[*Fortanix DSM – Oracle Cloud Infrastructure Bring Your Own Key*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-byok-bring-your-own-key)*.*

*For more information on how to perform native key lifecycle management in OCI using Fortanix DSM, refer to*[*Fortanix DSM - Oracle Cloud Infrastructure Cloud Native Key Management*](/v1/docs/fortanix-dsm-oracle-cloud-infrastructure-cloud-native-key-management)*.*

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.