Encrypting a File System
File Storage file systems use Oracle-managed keys to encrypt a file system by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in a file system using your own Vault encryption key.
To encrypt a file system with your own key, ensure that the following prerequisites are met:
- At least one key vault and key in the Vault service. For more information, see Overview of Vault. Caution
Be sure to back up vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up and Restoring Vaults and Keys. -
Set the permissions that allow the File Storage service to use keys.
Only symmetric Advanced Encryption Standard (AES) keys are supported for file system encryption.
Required IAM Policy
File systems encrypted using your own key require the ability to read keys stored in Vault. File Storage uses resource principals to grant a specific set of file systems access to the Vault key. This is a two step process, first the file systems which need access must be put into a dynamic group, and then the dynamic group is granted access to read the keys.
-
Create a dynamic group for the file systems with a rule such as the following:
ALL { resource.type='filesystem', resource.compartment.id = '<file_system_compartment_OCID>' }Note
If you have more than one rule in the dynamic group, ensure that you useMatch any rules defined belowoption. -
Create an IAM policy that gives the dynamic group of file systems access to Vault keys:
allow dynamic-group <dynamic_group_name> to use keys in compartment <key_compartment_name>
In addition to creating policies for resource principal access, grant the File Storage service user access to read the keys using a policy such as the following:
allow service FssOc<n>Prod to use keys in compartment <key_compartment_name>The name of the File Storage service user depends on your realm . For realms with realm key numbers of 10 or less, the pattern for the File Storage service user is FssOc<n>Prod, where n is the realm key number. Realms with a realm key number greater than 10 have a service user of fssocprod. For more information about realms, see About Regions and Availability Domains.
- Open the navigation menu and select Storage. Under File Storage, select File Systems.
- Under List scope, in the Compartment list, choose the compartment that contains the file system that you want to encrypt with a Vault master encryption key.
- From the list of file systems, click the file system name.
- On the file system's details page, next to Encryption key, click Edit.
- In the Edit Master encryption key dialog box, select Encrypt using customer-managed keys.Note
If you assign a Vault key to a file system, you can later return the file system to using Oracle-managed keys for encryption by selecting Encrypt using Oracle-managed keys. - Select the Vault Compartment, Vault, Master encryption key Compartment, and Master encryption key.
- Click Save changes.
Use the
fs file-system updatecommand and required parameters to encrypt the file system using the specified key:oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id <target_key_id>Leave the
--kms-key-idvalue unspecified to use Oracle-managed keys for encryption:oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id ""For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the UpdateFileSystem operation to manage file system encryption.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.