{OCI Vault} 暗号鍵

OCI

https://oracle-japan.github.io/ocidocs/services/security/vault/

https://qiita.com/sugimount/items/c26a304d053445b87263
https://docs.oracle.com/ja-jp/iaas/Content/KeyManagement/Concepts/keyoverview.htm

 


Virtual Private Vault ¥521.36/h
Default Vault 無償


マスター暗号化キー保護モード
 HSM  ¥74.676/month (First 20 Key Versions free)
 SOFTWARE  無償 

 

-- 1. ボールト作成

oci kms management vault list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

 


oci kms management vault create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name vault02 \
--vault-type DEFAULT 

 


oci kms management vault schedule-deletion \
--vault-id ocid1.vault.oc1.iad.xxxxxxxxxxxxx.000000000000000000000000000000000000000000000000000000000000 \
--time-of-deletion 2024-01-15T08:00:00Z


7日から30日までの範囲を設定できます。

 

-- 2. マスター暗号化キー作成

oci kms management key list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--endpoint "https://xxxxxxxxxxxxx-management.kms.us-ashburn-1.oraclecloud.com" \
--all \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table


oci kms management key create --generate-full-command-json-input


oci kms management key create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name key02 \
--endpoint "https://xxxxxxxxxxxxx-management.kms.us-ashburn-1.oraclecloud.com" \
--protection-mode SOFTWARE \
--key-shape '{
    "algorithm": "AES",
    "curveId": null,
    "length": 32
  }' 

 


oci kms management key schedule-deletion \
--key-id ocid1.key.oc1.iad.xxxxxxxxxxxxx.000000000000000000000000000000000000000000000000000000000000 \
--endpoint "https://xxxxxxxxxxxxx-management.kms.us-ashburn-1.oraclecloud.com" \
--time-of-deletion 2024-01-15T08:00:00Z


7日から30日までの範囲を設定できます。

 

-- 3. 平文の作成


echo "hello world" > plain_text
cat plain_text

 


-- 4. DataKeyとEncrypted DataKeyの作成


output=$(oci kms crypto generate-data-encryption-key \
--key-id ocid1.key.oc1.iad.xxxxxxxxxxxxx.000000000000000000000000000000000000000000000000000000000000 \
--endpoint "https://xxxxxxxxxxxxx-crypto.kms.us-ashburn-1.oraclecloud.com" \
--key-shape '{
    "algorithm": "AES",
    "curveId": null,
    "length": 32
  }' \
--include-plaintext-key true )


※endpointは「暗号エンドポイント」を使用する


echo $output | jq -r
echo $output | jq -r .data.ciphertext > encrypted_datakey
echo $output | jq -r .data.plaintext > plain_datakey

cat encrypted_datakey
cat plain_datakey


-- 5. 暗号文の作成

openssl aes-256-cbc -e -iter +10000 \
-in plain_text \
-out encrypted_text \
-pass file:plain_datakey 

cat encrypted_text


-- 6. 平文とDatakeyを削除

ls -ltr

rm -i plain_{text,datakey}

ls -ltr

 

-- 7. Encrypted DataKeyの復号

 

output=$(oci kms crypto decrypt \
--key-id ocid1.key.oc1.iad.xxxxxxxxxxxxx.000000000000000000000000000000000000000000000000000000000000 \
--endpoint "https://xxxxxxxxxxxxx-crypto.kms.us-ashburn-1.oraclecloud.com" \
--ciphertext $(cat encrypted_datakey) )


echo $output | jq -r
echo $output | jq -r .data.plaintext 
echo $output | jq -r .data.plaintext > decrypted_datakey

 

-- 8. 復号したDataKeyで暗号文を復号


openssl aes-256-cbc -d -iter +10000 \
-in encrypted_text \
-out decrypted_text \
-pass file:decrypted_datakey


cat decrypted_text