diff --git a/oci.compute.tf b/oci.compute.tf
index 131160f..e97c7d0 100644
--- a/oci.compute.tf
+++ b/oci.compute.tf
@@ -35,6 +35,7 @@ resource "oci_core_instance" "compute" {
   source_details {
     source_type                     = "image"
     source_id                       = data.oci_core_images.selected[each.value.key].images[0].id
+    kms_key_id                      = var.use_vault.volume ? try(data.oci_kms_key.key["volume"].id, null) : null
     boot_volume_size_in_gbs         = each.value.key == "flex" ? 100 : 50
     boot_volume_vpus_per_gb         = 120
     is_preserve_boot_volume_enabled = false
diff --git a/oci.data.tf b/oci.data.tf
index cda3d9e..3abe1db 100644
--- a/oci.data.tf
+++ b/oci.data.tf
@@ -2,6 +2,15 @@ data "oci_identity_tenancy" "tenancy" {
   tenancy_id = var.tenancy_id
 }
 
+# use this instead of oci_kms_key.key to await supporting policy creation
+data "oci_kms_key" "key" {
+  for_each = var.create_vault ? var.use_vault : {}
+
+  management_endpoint = oci_kms_vault.vault[0].management_endpoint
+  key_id              = oci_kms_key.key[each.key].id
+  depends_on          = [oci_identity_policy.kms_service_policy]
+}
+
 data "oci_identity_availability_domains" "available" {
   compartment_id = oci_identity_compartment.compartment.id
 }
diff --git a/oci.vault.tf b/oci.vault.tf
index e69de29..720cd96 100644
--- a/oci.vault.tf
+++ b/oci.vault.tf
@@ -0,0 +1,38 @@
+resource "oci_kms_vault" "vault" {
+  count = var.create_vault ? 1 : 0
+
+  compartment_id = oci_identity_compartment.compartment.id
+  display_name   = join("", [var.prefix, "vault"])
+  vault_type     = "DEFAULT"
+  freeform_tags  = local.freeform_tags
+}
+
+resource "oci_kms_key" "key" {
+  for_each = var.create_vault ? var.use_vault : {}
+
+  compartment_id      = oci_identity_compartment.compartment.id
+  management_endpoint = oci_kms_vault.vault[0].management_endpoint
+  display_name        = join("", [var.prefix, each.key, "-key"])
+  desired_state       = "ENABLED"
+  protection_mode     = "HSM"
+  key_shape {
+    algorithm = "AES"
+    length    = 32
+  }
+  freeform_tags = local.freeform_tags
+}
+
+resource "oci_identity_policy" "kms_service_policy" {
+  compartment_id = oci_identity_compartment.compartment.id
+  name           = "kms-service-policy"
+  description    = "kms service policy"
+  statements = [
+    !var.use_vault.volume ? "" :
+    "allow service blockstorage to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["volume"].id}'",
+    !var.use_vault.object ? "" :
+    "allow service objectstorage-${var.oci_region} to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["object"].id}'",
+    !var.use_vault.database ? "" :
+    "allow service dbcs to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["database"].id}'",
+  ]
+  freeform_tags = local.freeform_tags
+}