Enhancing Security with OCI Vault for Secrets Management

Posted on by Osama Mustafa in Cloud, OCI

This blog will explore how to enhance the security of your Oracle Cloud Infrastructure (OCI) applications by implementing OCI Vault for secrets management. We’ll cover setting up OCI Vault, managing secrets and encryption keys, integrating with other OCI services, and best practices for secure secrets management.

Setting Up OCI Vault

Create a Vault:

  • Navigate to the OCI Console, go to “Security,” and select “Vault.”
  • Click “Create Vault,” name it, choose the compartment, and select the type (Virtual Private Vault for added security).
  • Define backup and key rotation policies.

Create Keys:

  • Within the Vault, select “Create Key.”
  • Define the key’s attributes (e.g., name, algorithm, key length) and create the key.

Create Secrets:

  • Navigate to the “Secrets” section within the Vault.
  • Click “Create Secret,” provide a name, and input the secret data (e.g., API keys, passwords).
  • Choose the encryption key you created earlier for securing the secret.

Managing Secrets and Encryption Keys

Rotating Keys and Secrets

  • Configure automatic rotation for encryption keys and secrets based on your organization’s security policies.
  • Rotate secrets manually as needed via the OCI Console or CLI.

Access Controls

  • Use OCI Identity and Access Management (IAM) to define who can access the Vault, keys, and secrets.
  • Implement fine-grained permissions to control access to specific secrets or keys.

Integrating OCI Vault with Other Services

OCI Compute

  • Securely inject secrets into OCI Compute instances at runtime using OCI Vault.
  • Example: Retrieve a database password from OCI Vault within a Compute instance using an SDK or CLI.

OCI Kubernetes (OKE)

  • Integrate OCI Vault with OKE for managing secrets in containerized applications.
  • Example: Use a sidecar container to fetch secrets from OCI Vault and inject them into application pods.

Automating Secrets Management

Using Terraform

  • Automate the creation and management of OCI Vault, keys, and secrets using Terraform.
  • Example Terraform snippet for creating a secret:
resource "oci_kms_vault" "example_vault" {
  compartment_id = var.compartment_id
  display_name   = "example_vault"
  vault_type     = "DEFAULT"
}

resource "oci_kms_key" "example_key" {
  management_endpoint = oci_kms_vault.example_vault.management_endpoint
  key_shape {
    algorithm = "AES"
    length    = 256
  }
}

resource "oci_secrets_secret" "example_secret" {
  compartment_id = var.compartment_id
  vault_id       = oci_kms_vault.example_vault.id
  key_id         = oci_kms_key.example_key.id
  secret_content {
    content = base64encode("super_secret_value")
  }
}

Using OCI SDKs

  • Programmatically manage secrets with OCI SDKs in languages like Python, Java, or Go.
  • Example: Retrieve a secret in Python:
import oci

config = oci.config.from_file("~/.oci/config", "DEFAULT")
secrets_client = oci.secrets.SecretsClient(config)
secret_id = "<your_secret_ocid>"
response = secrets_client.get_secret_bundle(secret_id)
secret_content = response.data.secret_bundle_content.content.decode("utf-8")

Notes

  • Regularly rotate encryption keys and secrets to minimize exposure.
  • Implement least privilege access controls using OCI IAM.
  • Enable auditing and logging for all key and secret management activities.
  • Use the Virtual Private Vault for sensitive data requiring higher security levels.
Unknown's avatar

Published by Osama Mustafa

Osama considered as one of the leaders in Cloud technology, DevOps and database in the Middle-East. I have more than ten years of experience within the industry. moreover, certfied 4x AWS , 4x Azure and 6x OCI, have also obtained database certifications for multiple providers. In addition to having experience with Oracle database and Oracle products, such as middle-ware, OID, OAM and OIM, I have gained substantial knowledge with different databases. Currently, I am architecting and implementing Cloud and DevOps. On top of that, I'm providing solutions for companies that allow them to implement the solutions and to follow the best practices.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.