Enabling In-Transit Encryption Between an Instance and Boot Volumes or Block Volumes
After you create a virtual machine (VM) instance, you can enable or disable in-transit encryption between the instance and its paravirtualized boot volume and block volume attachments.
All boot volume and block volume data at rest is always encrypted by the Oracle Cloud Infrastructure Block Volume service using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. For more information, see Block Volume Encryption.
See this known issue: In-transit encryption for a boot volume attachment can be edited when unsupported by the image.
For permissions, see Required IAM Policy for Working with Instances.
Supported Shapes and Images
You can enable or disable in-transit encryption for existing instances that use these VM shapes:
- VM.Standard1 series
- VM.Standard.B1 series
- VM.Standard2 series
- VM.Standard3 series
- VM.Standard.E2 series
- VM.Standard.E3.Flex
- VM.Standard.E4.Flex
- VM.Standard.E5.Flex
- VM.Standard.E6.Flex
- VM.Standard.A1.Flex
- VM.DenseIO1 series
- VM.DenseIO2 series
- VM.GPU3 series
- VM.GPU.A10 series
- VM.Optimized3.Flex
These shapes cannot be edited:
- VM.Standard.E2.1.Micro
- VM.DenseIO.E4.Flex
- VM.GPU2 series
- VM instances that run on dedicated virtual machine hosts
The following bare metal shapes support in-transit encryption by default for block volumes and boot volumes. This setting is not configurable and applies to all volume attachments to the instance.
- BM.Standard.E3.128
- BM.Standard.E4.128
- BM.DenseIO.E4.128
In-transit encryption is not enabled for these shapes in the following scenarios:
- Boot volumes for instances launched June 8, 2021 or earlier.
- Volumes attached to the instance June 8, 2021 or earlier
To enable in-transit encryption for the volumes in these scenarios, you need to detach the volume from the instance and then reattach it.
In-transit encryption is not supported on all other bare metal shapes.
In-transit encryption for boot volumes and block volumes is available for platform images. It is not supported in most cases for instances launched from custom images imported for "bring your own image" (BYOI) scenarios. To confirm support for certain Linux-based custom images, contact support.
Using the Console
- Open the navigation menu and select Compute. Under Compute, select Instances.
- Click the instance that you're interested in.
- Select More Actions, and then select Edit.
- Click Show advanced options.
- On the Launch options tab, select the Use in-transit encryption check box.
-
Click Save changes.
If the instance is running, it is rebooted. Confirm when prompted.
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Use this API operation to enable or disable in-transit encryption between an instance and its paravirtualized boot volume attachments: