The Block Volume service always encrypts boot volume and block volume data at rest, using Oracle-managed encryption keys by default.

When provisioning a node pool using VM instances, you now have the option to encrypt worker node boot volumes at rest and in-transit using your own master encryption keys that you manage yourself in the Vault service. If you use your own master encryption key, the same key is used for both at rest and in-transit encryption. For more information about encrypting boot volumes, see Custom Create Workflow to Create a Cluster.

When provisioning a persistent volume claim (PVC) using the Block Volume service, you can now choose how block volumes are encrypted by specifying:

• The master encryption key to use. You can specify your own master encryption key that you manage yourself in the Vault service.
• How the block volume is attached to the compute instance (either iscsi or paravirtualized).
• Whether in-transit encryption is enabled for each node pool in a cluster.

For more information about encrypting block volumes for PVCs backed by the Block Volume service, see Encrypting Data At Rest and Data In Transit with the Block Volume Service.

Note that to use your own Vault service encryption key to encrypt data, an IAM policy must grant access to the service encryption key. See Create Policy to Access User-Managed Encryption Keys for Encrypting Boot and Block Volumes.