Overview

OCI Vault (Oracle Cloud Infrastructure Vault) provides a secure and reliable Key Management Service (KMS) that can be leveraged to safeguard keys of wallets managed by the Wallet API. This document outlines how to integrate OCI Vault (Oracle Cloud Infrastructure Vault) with the Wallet API and manage keys securely.

If you are new to OCI Vault, make sure to familiarize yourself with the service through the guides available here. The following sections assume that you have knowledge of how Vault works and have already set up and configured a key management service.

Using OCI Vault (Oracle Cloud Infrastructure Vault) with Wallet API

There are two main methods for integrating OCI Vault with the Wallet API:

  1. OCI SDK: Utilize the OCI SDK to manage keys in OCI Vault programmatically.
  2. OCI REST API: Interact with the OCI REST API to manage keys in OCI Vault directly.

OCI SDK Integration with OCI Vault

The OCI SDK provides a convenient way to manage keys in OCI Vault without the need to interact with the REST API directly.

But you will have to configure the vault for instance principal authentication as you won't be providing any private keys.

Another configuration should be done where you will have to provide the compartment id and the vault id to the Wallet API's oci.conf file.

Example Configuration :

vaultId="ocid1.vault.oc1.iad.amaaaaaa4q6q6qia7q7"
compartmentId="ocid1.compartment.oc1..aaaaaaaawirugoz35riiybcxsvf7bmelqsxo3sajaav5w3i2vqowcwqrllxa"

OCI REST API - OCI Vault

With the OCI REST API you can manage keys in OCI Vault without the need to interact with the SDK directly. You will have to provide the necessary configuration to the Wallet API to interact with the OCI Vault in the oci-rest-api.conf.

Example Configuration :

tenancyOcid = "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
compartmentOcid= "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
userOcid = "ocid1.user.oc1..aaaaaaaaxjkkfjqxdqk7ldfjrxjmacmbi7sci73rbfiwpioehikavpbtqx5q"
fingerprint = "bb:d4:4b:0c:c8:3a:49:15:7f:87:55:d5:2b:7e:dd:bc"
managementEndpoint = "entcvrlraabc4-management.kms.eu-frankfurt-1.oraclecloud.com"
cryptoEndpoint = "entcvrlraabc4-crypto.kms.eu-frankfurt-1.oraclecloud.com"
signingKeyPem = """
                         PRIVATE_KEY_HERE
                """
Last updated on November 3, 2025
OCI VaultREST API