New Cloud Crypto Service: Oracle Cloud Infrastructure KMS

Graham Steel
February 28, 2019

We often talk about the "big three" cloud providers: AWS, Azure and GCP. Reliable market share data is hard to come by, but common thinking is that GCP are a little way behind the "big two". Meanwhile, Oracle's IaaS offering OCI (Oracle Cloud Infrastructure) is a long way behind the "big three", and figures only as a thin Larry Ellison tie on AWS' own market share presentations.

State of the cloud at #reInvent pic.twitter.com/QBiIMkiC06

— Arun Gupta (@arungupta) November 28, 2018

However, Oracle are now putting some very serious investment into their cloud in an effort to capitalise on their enterprise customer base. Several of our own large customers are looking at OCI as a possible alternative or complement to other CSPs. OCI recently launched a cloud crypto service, so how does it measure up to the others in our cloud crypto comparison?

Keys, Secrets and Algorithms

For the moment, OCI KMS manages only 256-bit AES keys. These keys are generated and stored in a FIPS 140-2 level 3 HSM, but there is no documented facility to import keys (so-called bring Your Own Key or BYOK). Keys are provisioned into vaults a bit like in Azure. The vaults correspond to partitions on the HSM.There is currently no provision for secret storage as there is in AWS and Azure. It's also not possible in the documentation to discover the plaintext size limit for encryption under the master key.The exact cryptographic mechanism used is not documented, just like in GCP. However, the algorithm used supports associated data, so we might guess that it's GCM, but it could be CCM or something else. There's no mention of how IV generation is handled either, but it's not a parameter to the call so we have to assume the KMS is handling that.

Access Control and Logging

Access to keys is regulated by Oracle's IAM. You can assign access to a vault and/or to a specific key in a vault. Keys also have an activation status, but since there is only one operation available (encryption/decryption), there are no other usage attributes. To see who or what is using the keys, you can consult events in the Audit Log. However there are no sample crypto calls in the document, so it's not possible to see exactly what gets logged - for example, it might be interesting to know whether associated data is supplied or not. It's also not clear if only key management calls are logged by default (as in GCP for example) or whether key usage commands are also included.

Conclusions

The fact that Oracle have implemented such a service serves to illustrate how over the last year or so key management and cryptography APIs have gone from being a feature to a requirement for serious Cloud Service Providers. Clearly it's very early days for the OCI KMS, but already we can see that there are a mixture of elements from Azure Keyvault, AWS KMS and GCP KMS in the way OCI KMS operates. It will be interesting to see how the first "second generation" KMS evolves. In the near future we'll be adding it to our comparison infographic.