How External KMS Works

Learn about the EKMS model, including the operations that happen inside and outside of the Oracle Cloud.

The following diagram shows the External KMS workflow for encryption and decryption operations:

1. OCI application/services sends an encryption/decryption request.
2. OCI External Key Management Service (KMS) then forwards the request to third-party key management system (Thales) deployed in customer premises.
3. Thales then performs encryption/decryption operation on the data and sends the encrypted/decrypted data back to the OCI External KMS.
4. OCI External KMS forwards the response to the OCI application/services.