Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Virtual Private Vaults

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-KMS-005

For maximum security, ensure that your Oracle Cloud Infrastructure (OCI) KMS Vaults are provisioned on an isolated partition of the Hardware Security Module (HSM) to achieve single-tenant isolation and prevent logical access or key compromise from other tenants sharing the physical hardware.

Cost
optimisation

Oracle Cloud Infrastructure (OCI) KMS Vaults should reside on an isolated partition within an HSM (using a Virtual Private Vault) when sensitive workloads require dedicated isolation and stringent compliance, as an OCI KMS Virtual Private Vault provides its own secure HSM partition, offering stronger isolation and backup capabilities, unlike shared vaults that trade isolation for lower cost and pay-per-key flexibility.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) KMS Vaults are Virtual Private Vaults, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

  4. Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. Being an active Vault means its State is set to Active.

  5. Select the Vault information tab to access the essential configuration information available for the selected KMS Vault.

  6. In the General information section, check the Virtual Private configuration attribute value to determine if the selected KMS Vault is provisioned on an isolated partition of the OCI Hardware Security Module (HSM). If Virtual Private is set to No, the selected Oracle Cloud Infrastructure (OCI) KMS Vault was not deployed as Virtual Private Vault.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with custom output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active KMS Vault provisioned in the selected OCI compartment:

    oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"

  4. The command output should return the requested Vault IDs:

    [
	"ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run kms management vault get command (Windows/macOS/Linux) to describe the vault type for the specified resource. This will allow you to determine if the selected OCI KMS Vault is provisioned on an isolated partition of the OCI Hardware Security Module (HSM):

    oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."vault-type"'

  6. The command output should return the vault type ("DEFAULT" for standard, default KMS Vault, "EXTERNAL" for external KMS Vault, or "VIRTUAL_PRIVATE" for Virtual Private Vault):

    "DEFAULT"

    If the kms management vault get command output returns "DEFAULT", as shown in the example above, the verified Oracle Cloud Infrastructure (OCI) KMS Vault is not provisioned on an isolated partition of the Hardware Security Module (HSM). As a result, the selected OCI KMS Vault was not deployed as Virtual Private Vault.

Remediation / Resolution

To ensure that your OCI KMS Vaults are deployed to an isolated partition within a Hardware Security Module (HSM), you must re-create the vaults with the appropriate configuration. To create Virtual Private Vaults, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select the OCI compartment that you want to access from the Compartment dropdown menu, next to Applied filters.

  4. Choose Create Vault and perform the following actions to create a new Virtual Private Vault:

    1. Select the appropriate OCI compartment from the Create in compartment dropdown menu.
    2. Enter a unique name for the new vault in the Name box.
    3. Switch on Make it a virtual private vault button to ensure that your vault is provisioned on an isolated partition of the OCI Hardware Security Module (HSM).
    4. Select Tags and use the Add tag button to add resource tags (free-form and defined tags) to your vault.
    5. Choose Create Vault to deploy your new OCI KMS Virtual Private Vault.

Using OCI CLI

  1. Run kms management vault create command (Windows/macOS/Linux) with the --vault-type parameter set to 'VIRTUAL_PRIVATE' to create a new Oracle Cloud Infrastructure (OCI) KMS Virtual Private Vault:

    oci kms management vault create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'cc-project5-virtual-private-vault'
	--vault-type 'VIRTUAL_PRIVATE'

  2. The command output should return the configuration information available for the new OCI KMS Vault:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": "https://abcd1234abcda-crypto.kms.ap-sydney-1.oraclecloud.com",
		"defined-tags": {},
		"display-name": "cc-project5-virtual-private-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {},
		"id": "ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-primary": true,
		"is-vault-replicable": true,
		"lifecycle-state": "ACTIVE",
		"management-endpoint": "https://abcd1234abcda-management.kms.ap-sydney-1.oraclecloud.com",
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-created": "2025-10-26T11:49:33.807000+00:00",
		"time-of-deletion": null,
		"vault-type": "VIRTUAL_PRIVATE",
		"wrappingkey-id": "ocid1.key.oc1.ap-sydney-1.abcd1234abcda.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "1234abcd1234abcd1234abcd1234abcd1234"
}

References

Publication date Nov 12, 2025

Related OCI-KMS rules