This article describes how to perform Bring Your Own Key (BYOK) lifecycle management in Oracle Cloud Infrastructure (OCI) using Fortanix-Data-Security-Manager (DSM).
The Fortanix solution for OCI offers complete BYOK, as explained in this article, as well as Cloud Native Key Management Service (CNKMS) with lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
Import source key: Navigate to a source key in Fortanix DSM and copy the key into an OCI CDC group to create a linked key and a BYOK key in OCI KMS.
Rotate source key: Rotate the source key that was originally generated in "Fortanix DSM" and click “rotate linked or copied keys”.
Disable/Enable: Navigate to the detailed view of the key in the OCI KMS group and disable or enable it from Fortanix DSM.
Schedule key deletion: OCI will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days). Navigate to the detailed view of the key in the OCI CDC group, and in the OCI KEY DETAILS tab, schedule the key for deletion.
5.0 Fortanix DSM OCI KMS Security Objects
You can create and manage cryptographic keys in OCI Vault using the BYOK capability.
5.1 Bring Your Own Key - Copy Key to OCI Vault
Use this option when you want to create a key in Fortanix DSM and then import it into the configured OCI Vault. The Copy Key to OCI Vault feature allows you to transfer a security object from one Fortanix DSM group to another, including to an OCI CDC Fortanix DSM group.
This feature has the following advantages:
Maintains a single source of key material while using/importing that key into various Fortanix DSM groups, where applications may need to use a single key to meet business objectives.
Maintains a link of various copies of the same key material to the source key for the ability to name and rotate keys everywhere, all at once, as well as for audit and tracking purposes.
The following action happens during the copy key operation:
A new key will be created in the target group: The new key will have the same key material as the original.
The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
The source key will also have basic metadata-based information about the linked keys, such as:
Copied by <user-name/app id>
Date of Copy <time stamp>
Target copy group name
NOTE
The name of the copied key is suggested automatically to you as [original key name]_[copy1,2,...], but you can replace it with an alternative unique name, if required.
Perform the following steps to copy a key from a regular Fortanix DSM group to an OCI CDC group:
Generate an RSA or AES key in Fortanix DSM if the key is not already present. To create the key, refer to Generate Security Objects.
WARNING
The “Export” permission must be enabled when creating this key for the 'Copy Key' operation to work.
Go to the detailed view of the key and click the COPY KEY button available on the top right of the screen.
NOTE
The allowed key types for an OCI key generated using the Copy Key workflow are:
RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
AES (AES_128, AES_196, AES_256)
The COPY KEY button will be disabled for all the OCI KMS Virtual-Keys.
In the COPY KEY window, do the following:
Hover on the name of the key and use the edit icon to update the name of the key, if required.
Click the Import key to HSM/External KMS check box to filter the groups to show only HSM/KMS groups. Select the OCI CDC group for the new key into which the copied key should be imported.
Enter the required Oracle key name.
NOTE
If you enter an Oracle key name that already exists in the OCI Vault, OCI generates a new key with the same name and a different key version.
Select either the Software or HSM option for the OCI protection mode.
Update the Key operations permitted if you want to modify the permissions of the key.
NOTE
Only the permissions that are already present in the source key can be modified. If some permissions are missing on the source key, they cannot be added to the copied key.
Click the CREATE COPY button to create a copy of the key.
The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key.
NOTE
Once the key is copied, perform the SYNC KEYS operation to ensure that a detailed inventory of the keys is created, where each Fortanix DSM virtual key represents a single OCI key version. For steps to sync keys, refer to Section 5.3: Sync Keys.
If you want to maintain a copy of the key material in Fortanix DSM, then you can import a regular RSA or AES key into Fortanix DSM using the “generate key or import key” workflow and then copy this key into OCI Vault using the “copy key” workflow.
The audit logs for a copied key in the OCI-backed group will display detailed entries, including the wrapping key type, key size, and wrapping mechanism if audit logging is enabled for the source key.
5.2 Bring Your Own Key - Import Key
This action imports the key into the OCI Vault, creating a virtual key in the corresponding OCI CDC group. The virtual key in the OCI CDC group points to the actual key in the OCI Vault, but only stores key information and attributes, not the key material. The import action does not store a copy of the key material in Fortanix DSM.
Perform the following steps to import a key in Fortanix DSM:
Navigate to the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to create a new key.
On the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only HSM/KMS groups in the Select group list.
Select the OCI CDC group into which the keys will be imported. The keys will be imported into the region that was selected in the OCI CDC group.
Select the IMPORT radio button to initiate the import of the key in the OCI workflow.
Enter the required Oracle key name.
NOTE
If you enter an Oracle key name that already exists in the OCI Vault, OCI generates a new key with the same name and a different key version.
Select either Software or HSM option for the OCI protection mode.
In the Choose a type section, select the key type for the new OCI Vault key.
NOTE
The allowed key types for an OCI key generated using the Import key workflow are:
RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
AES (AES_128, AES_192, AES_256)
Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios, select The key has been encrypted check box.
Enter the Key Check Value (KCV).
NOTE
This is only valid when importing AES key type.
In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.
In the Key operations permitted section, select the permitted key operations and any key attributes if required using ADD ATTRIBUTES.
Click the IMPORT button to import the key.
NOTE
Once the key is imported, perform the SYNC KEYS operation to ensure that a detailed inventory of the keys is created, where each Fortanix DSM virtual key represents a single OCI key version. For steps to sync keys, refer to Section 5.3: Sync Keys.
The security key is successfully imported.
5.3 Sync Keys
Perform the following steps to sync the OCI keys as virtual keys in the OCI-backed DSM group:
Go to the OCI KMS group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new virtual keys.
Fortanix DSM will then connect to OCI Vault, fetch all available keys, and store them as virtual keys.
NOTE
When keys are synced with OCI KMS, the metadata of the existing keys for the configured OCI Vault and region are downloaded and represented as virtual keys. The actual key material for those keys is always stored in OCI Vault.
Clicking SYNC KEYS only returns the keys from the OCI Vault that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
The time taken to sync keys from the OCI Vault to Fortanix DSM is a function of the number of keys in the OCI Vault and the network latency between the Oracle Cloud region and Fortanix DSM. It can take several minutes if there are hundreds of keys and there is significant network latency.
5.4 Attributes/Tags Tab
You can add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata and correspond to the “free-form tags” on an OCI key.
5.5 OCI Key Details
This tab displays key information retrieved from OCI, such as key ID, key version details, key name, and protection mode of the key currently linked to the OCI CDC group.
5.6 Security Objects Table View
After adding new OCI Vault keys, navigate to the Security Objects menu item to view all the security objects from all the groups (Regular Fortanix DSM and HSM/External KMS).
In the table, you will notice that every key belongs to a group and some keys, which are virtual keys added from an OCI Vault, belong to a group with a special symbol . The table shows all keys, whether they belong to an OCI CDC group or not.
5.7 Schedule to Delete a Key in OCI KMS
When you schedule a key version for deletion in OCI KMS from Fortanix DSM, OCI KMS marks the selected key version for deletion and permanently deletes it after the configured waiting period.
Perform the following steps to schedule key deletion from an OCI KMS:
Navigate to the Security Objects menu item and go to the detailed view of an OCI virtual key and select the OCI KEY DETAILS tab.
Click the SCHEDULE KEY DELETION link button.
In the Schedule Key Deletion in the OCI Vault window, enter a waiting period (in days) to confirm if the OCI key is still needed, ensuring the value falls between 7 to 30 days only.
NOTE
Data encrypted with the key becomes unusable once the key is deleted.
Select the confirmation “I understand that the data encrypted with the object can no longer be used once the object is scheduled for deletion.” checkbox.
Click the SCHEDULE KEY DELETE button to mark the key for deletion.
NOTE
If you delete an OCI key container using Actions → Delete Key, all key versions are set to the “Pending deletion” state. Fortanix DSM does not allow cancelling the deletion of these key versions. To retain the ability to cancel key deletion in DSM, always delete individual key versions from the OCI key container.
Figure 1: Delete OCI Key Container
If the key version is the current active version, it cannot be scheduled for deletion. Only older key versions can be scheduled for deletion in OCI.
You can cancel the key deletion at any time before the waiting period ends using the CANCEL KEY DELETION IN OCI link at the top of the screen in the detailed view of the OCI virtual key.
The following section explains the key rotation in the OCI CDC group. A key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.
6.1 Rotating Keys in Fortanix DSM Source Group
Prerequisites: Create a regular Fortanix DSM group with source keys copied to the OCI CDC group.
When rotating a key that belongs to a Fortanix DSM source group, if the key has linked keys (copies of the original key material), then you are given the option to select the linked keys for the key rotation. If any of these linked keys belong to an OCI CDC group, rotating them also updates the corresponding keys in OCI Vault by importing a new key version.
Perform the following steps to rotate a key in OCI Vault:
Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of a Fortanix DSM source key and click the ROTATE KEY button.
In the Key Rotation window, select the Generate new key option.
Select the OCI virtual keys to rotate with the Fortanix DSM source key and click the ROTATE KEY button.
On the Rotate key window, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.
After the keys are rotated, click the OK button.
You can schedule a key rotation policy for the Fortanix DSM source key to automatically and periodically rotate linked OCI keys that are copies of the source key.
Perform the following steps to schedule a key rotation policy for the source key:
Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of a Fortanix DSM source key.
In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.
Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
To deactivate the old key after key rotation, select the Deactivate original key after the rotation check box.
To enable key rotation for linked keys, select the Enable key rotation for copied keys check box.
Click the SAVE POLICY button to save the policy.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
6.2 Rotate OCI Native Key to Fortanix DSM Owned Key
When an OCI Vault virtual key whose key material is owned by OCI KMS is rotated, you are given an option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key version is created as a new key version under the existing OCI Vault virtual key with the corresponding key in OCI KMS, which has the key material of the Fortanix DSM-backed key and becomes a BYOK key. As a result, the OCI Vault virtual key is backed by a Fortanix DSM source key and becomes a BYOK key. This scenario is used when you want to convert your OCI native keys to BYOK keys.
Perform the following steps to rotate a virtual key with a Fortanix DSM-backed key:
Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of an OCI virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key, and then select the required source key from the respective drop down menu.
NOTE
Ensure that the OCI virtual key has the same permissions as the selected Fortanix DSM source key.
The source key must have the Export permission and must be the same key type as the OCI virtual key (for example, both should be RSA keys or AES keys)
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated OCI virtual key and click the OCI KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.
Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Virtual keys are keys for which Fortanix has the key metadata but not the key material itself in a specific group. Virtual keys are created when Fortanix inventories, generate local CSP keys or “CNKM Keys” (Cloud Native Key Management) or have a linked key to a CDC group. You can tell if a key is a virtual key or linked key by the color of the iconin Fortanix DSM.
(4).png?sv=2022-11-02&spr=https&st=2025-12-11T21%3A16%3A19Z&se=2025-12-11T21%3A40%3A19Z&sr=c&sp=r&sig=1aGgwdr6NdZvxyWPlgVhDt5t3%2F6%2FQ1i5b60fSpN%2BulI%3D)
to update the name of the key, if required.(7).png?sv=2022-11-02&spr=https&st=2025-12-11T21%3A16%3A19Z&se=2025-12-11T21%3A40%3A19Z&sr=c&sp=r&sig=1aGgwdr6NdZvxyWPlgVhDt5t3%2F6%2FQ1i5b60fSpN%2BulI%3D)
. The table shows all keys, whether they belong to an OCI CDC group or not..png?sv=2022-11-02&spr=https&st=2025-12-11T21%3A16%3A19Z&se=2025-12-11T21%3A40%3A19Z&sr=c&sp=r&sig=1aGgwdr6NdZvxyWPlgVhDt5t3%2F6%2FQ1i5b60fSpN%2BulI%3D)
in Fortanix DSM.