-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/docs/enterprise/sealwrap) documenation for more information.
If it is `false`, Vault authenticates using the instance principal from the compute instance. See Authentication section for details. Default is `false`.
If you want to use Instance Principal, add section configuration below and add further configuration settings as detailed in the [configuration docs](/docs/configuration/).
If you want to use User Principal, the plugin will take the API key you defined for OCI SDK, often under `~/.oci/config`.
```hcl
seal "ocikms" {
auth_type_api_key = true
crypto_endpoint = "<kms-crypto-endpoint>"
management_endpoint = "<kms-management-endpoint>"
key_id = "<kms-key-id>"
}
```
To grant permission for a compute instance to use OCI KMS service, write policies for KMS access.
- Create a [Dynamic Group][oci-dg] in your OCI tenancy.
- Create a policy that allows the Dynamic Group to use or manage keys from OCI KMS. There are multiple ways to write these policies. The [OCI Identity Policy][oci-id] can be used as a reference or starting point.
The most common policy allows a dynamic group of tenant A to use KMS's keys in tenant B:
For the [OCI KMS key rotation feature][oci-kms-rotation], OCI KMS will create a new version of key internally. This process is independent from Vault, and Vault still uses the same `key_id` without any interruption.
If you want to change the `key_id`: migrate to Shamir, change `key_id`, and then migrate to OCI KMS with the new `key_id`.