Check for KMS Key Protection Mode

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. An active KMS Vault has the State set to Active.

Select the Master encryption keys tab to list the Customer-Managed Keys (CMKs) available in the selected OCI KMS Vault.

Click inside the Search and Filter box, choose State, select Enabled, and choose Apply filter to list the active KMS keys.

Click on the name (link) of the active KMS key that you want to examine, listed in the Name column.

Select the Key information tab, and check the Protection Mode attribute value, listed in the left column to determine the key's protection mode. If Protection Mode is set to HSM, the selected OCI KMS Customer-Managed Key (CMK) is stored and processed on a OCI Hardware Security Module (HSM) instead of an OCI server.

Run iam compartment list command (Windows/macOS/Linux) with custom output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active KMS Vault provisioned in the selected OCI compartment:

oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"

The command output should return the requested Vault IDs:

[
	"ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run kms management vault get command (Windows/macOS/Linux) to describe the service endpoint configured for the selected OCI KMS Vault:

oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."management-endpoint"'

The command output should return the URL of the service (management) endpoint configured for the selected vault:

"https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com"

Run oci kms management key list command (Windows/macOS/Linux) with the service endpoint of the OCI KMS Vault that you want to examine as the identifier parameter, to list the ID and state of each KMS Customer-Managed Key (CMK) created within the selected Vault:

oci kms management key list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--all
	--query 'data[].["id","lifecycle-state"]'

The command output should return the ID and status for each KMS key available in the selected Vault. An active Customer-Managed Key has the lifecycle status set to "ENABLED":

[
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"ENABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"ENABLED"
	]
]

Run oci kms management key get command (Windows/macOS/Linux) with the ID of the active Customer-Managed Key (CMK) that you want to examine as the identifier parameter and custom output filters the describe the protection mode configured for the selected KMS key:

oci kms management key get
	--key-id 'ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--query 'data."protection-mode"'

The command output should return the key's protection mode:

"HSM"

If the oci kms management key get command output returns HSM, as shown in the example above, the selected OCI KMS Customer-Managed Key (CMK) is stored and processed on a OCI Hardware Security Module (HSM) instead of an OCI server.

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

Click on the name (link) of the active KMS Vault that you want to access, listed in the Name column. An active KMS Vault has the State set to Active.

Select the Master encryption keys tab, choose Create Key, and perform the following actions to create a new OCI KMS Customer-Managed Key (CMK):

1. Select the appropriate OCI compartment from the Create in compartment dropdown menu.
2. Select Software from the Protection Mode dropdown list. The protection mode indicates how the KMS key persists and where cryptographic operations that use the key are performed.
3. Enter a unique name for the new Customer-Managed Key (CMK) in the Name box.
4. Select the key algortihm and length from the Key Shape: Algortihm and Key Shape: Length lists.
5. For Import External key, choose whether to import the external key. To import the external key, upload your external key data source.
6. Select Tags and use the Add tag button to add resource tags (free-form and defined tags) to your key.
7. Choose Create Key to generate your new OCI KMS Customer-Managed Key.

Run kms management key create command (Windows/macOS/Linux) to create a new OCI KMS Customer-Managed Key (CMK). For --protection-mode use 'SOFTWARE'. --protection-mode indicates how the KMS key persists and where cryptographic operations that use the key are performed.

oci kms management key create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'cc-project5-master-key'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--key-shape '{"algorithm":"AES","length":32}'
	--protection-mode 'SOFTWARE'

The command output should return the configuration information available for the new OCI KMS key:

{
	"data": {
		"auto-key-rotation-details": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"current-key-version": "ocid1.keyversion.oc1.ap-sydney-1.abcdabcd1234a.abcdabcd1234a.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-master-key",
		"external-key-reference-details": null,
		"freeform-tags": {},
		"id": "ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-auto-rotation-enabled": false,
		"is-primary": true,
		"key-shape": {
			"algorithm": "AES",
			"curve-id": null,
			"length": 32
		},
		"lifecycle-state": "CREATING",
		"protection-mode": "SOFTWARE",
		"replica-details": null,
		"restored-from-key-id": null,
		"time-created": "2025-10-27T08:45:25.854000+00:00",
		"time-of-deletion": "2025-11-27T12:21:01.284000+00:00",
		"vault-id": "ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "1234abcd1234abcd1234abcd1234abcd1234"
}