Oracle Cloud Infrastructure Documentation

Managing Vault Encryption Keys for Block Volume

Customer-managed keys are your own keys stored with the Vault service.

You can import external keys to the Vault service or use the service to generate new keys. For more information about these tasks, see Managing Keys and Importing Keys and Key Versions.

When you create a volume, you can specify the customer-managed key for the volume, see Creating a Block Volume. The volume's backups automatically use the specified key. You can specify a different key when you create a new volume by cloning a volume or restoring a volume from a volume backup.

Specifying a New Key When Cloning a Volume

  • When using the CLI, run the following command:

    oci bv create --display-name <volume_name> --compartment-id <compartment_ID> --availability-domain <AD> --kms-key-id <different_key_ID>
--source-volume-id=<source_volume_ID>

  • When you clone a volume in the Console, in the Encryption section on the Create clone form, select Encrypt using customer-managed keys, and then select the Vault encryption key you want to use.

  • When using the API, specify the encryption key OCID in the kmsKeyId attribute of CreateVolumeDetails when calling the CreateVolume operation.

Specifying a New Key When Restoring a Backup

  • When using the CLI, run the following command:

    oci bv create --display-name <volume_name> --compartment-id <compartment_ID> --availability-domain <AD> --kms-key-id <different_key_ID>
--volume-backup-id=<source_backup_ID>

    If you don't include the --kms-key-id attribute, the volume created from restoring a backup uses the Oracle managed key.

  • When you restore the block volume from a backup in the Console, in the Encryption section on the Restore block volume form, select Encrypt using customer-managed keys, and then select the Vault encryption key you want to use.

  • When using the API, specify the encryption key OCID in the kmsKeyId attribute of CreateVolumeDetails when calling the CreateVolume operation.

Specifying a New Key When Activating a Replica

Volumes with replication enabled don't support customer-managed keys. If you want to enable replication for a volume, use Oracle managed keys for volume encryption. See Cross-region replication not supported for volumes encrypted with customer-managed keys.

  • When using the CLI, run the following command:

    oci bv create --display-name <volume_name> --compartment-id <compartment_ID> --availability-domain <AD> --kms-key-id <different_key_ID>
--source-volume-replica-id=<source_replica_ID>

  • When you activate volume replica in the Console, in the Encryption section on the Activate a volume replica form, select Encrypt using customer-managed keys, and then select the Vault encryption key you want to use.

  • When using the API, specify the encryption key OCID in the kmsKeyId attribute of CreateVolumeDetails when calling the CreateVolume operation.

Rotating the Encryption Key

Rotating the same key isn't supported today and the behavior isn't defined when you have multiple versions of a key. Block Volume only supports keys with a single version. To rotate an encryption key, change the volume's encryption key to a new key. You can also change the encryption key for a volume backup.

When you rotate the key for a volume by specifying a new encryption key, any child resources created before updating the key continue to use the old encryption key. This includes backups and clones.

Changing the Encryption Key for a Volume

You can change the key assigned to a volume to another customer-managed key. Changing the encryption key doesn't re-encrypt the content of the volume, it just re-encrypts the data key.

  • To specify a different customer-managed key for a volume using the CLI, run the following command:

    oci bv volume-kms-key update --volume-id=<volume_ID> --kms-key-id=<key_ID>

  • To specify a different customer-managed key for a volume using the Console, see Update a Key to a Block Volume.

  • To specify a different customer-managed key with the API, use the UpdateVolumeKmsKey operation.

Changing the Encryption Key for a Volume Backup

You can change the key assigned to a volume backup to another customer-managed key or to an Oracle managed key. Changing the encryption key doesn't re-encrypt the volume backup, it just re-encrypts the data key.

  • To specify a different key for a volume backup using the CLI, run the following command:

    oci bv backup update --backup-id=<backup_ID> --kms-key-id=<key_ID>

    To specify that the volume backup use an Oracle-managed key, specify an empty string for the key ID, as shown in the following example: 

    oci bv backup update --backup-id=<backup_ID> --kms-key-id=''

  • To specify a different customer-managed key for a volume backup using the Console, see Volume Backup Encryption Keys.

  • To specify a different customer-managed key with the API, use the UpdateVolumeBackup operation, and specify the encryption key OCID in the kmsKeyId attribute.

Cross Security Compartment Key Access

As a best practice, CIS Oracle Cloud Infrastructure Foundations Benchmark recommends that you create a vault for your customer-managed keys in a separate compartment and restrict access to this compartment. The following diagram shows how to organize this.

Architecture diagram showing customer managed keys stored in a separate, restricted access compartment

The following policies are required to use the keys in a separate security compartment with restricted access to encrypt boot volumes, block volumes, and related resources.

Allow service blockstorage to use keys in compartment security-compartment where target.key.id = <key_ID>
Allow group projx-admin-group to use key-delegate in compartment security-compartment where target.key.id = <key_ID>

Volume Backup Encryption Keys

The Oracle Cloud Infrastructure Block Volume service always encrypts all block volumes, boot volumes, and volume backups at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption.

The Oracle Cloud Infrastructure Vault service enables you to bring and manage your own keys to use for encrypting volumes and their backups. When you create a volume backup, the encryption key used for the volume is also used for the volume backup.

You can change the key assigned to a volume backup to another customer-managed key or to an Oracle-managed key. Changing the encryption key doesn't re-encrypt the content of the volume, it just re-encrypts the data key.

Using the CLI

To specify a different key for a volume backup using the CLI, run the following command:

oci bv backup update --backup-id=<backup_ID> --kms-key-id=<key_ID>

To specify that the volume backup use an Oracle-managed key, specify an empty string for the key ID, as shown in the following example: 

oci bv backup update --backup-id=<backup_ID> --kms-key-id=''

Using the Console

  1. Open the navigation menu and click Storage. Under Block Storage, click Block Volume Backups.
  2. Under List Scope, in the Compartment list, choose the compartment that contains the volume backup that you want to update the key for.
  3. From the list of volume backups, click the backup you're interested in.

  4. Then, do one of the following:

    • If the volume backup already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.
    • If the volume backup does not already have a key assigned to it, next to Encryption Key, click Assign.

  5. Choose the vault compartment, vault, key compartment, and key.

  6. When you are finished, click Assign or Update, as appropriate.

Using the API

To specify a different customer-managed key with the API, use the UpdateVolumeBackup operation, and specify the encryption key OCID in the kmsKeyId attribute.

More Resources