Oracle Cloud Infrastructure (OCI) Vault is a service that securely stores and manages sensitive information like passwords, API keys, and encryption keys. It helps you keep this information safe by using strong encryption and strict access controls. With OCI Vault, you can easily manage who has access to your secrets, ensuring your applications and data remain secure and compliant.

You can assign vault and keys to both block volumes and boot volumes in the same way. The primary advantage of assigning vault and keys to block volumes is to protect user and application data. While you can also assign vault and keys to boot volumes, which contain the operating system, it may not provide as much benefit since the primary concern is usually the security of user and application data.

By default, block volumes in Oracle Cloud Infrastructure are encrypted using Oracle-managed keys. However, if client need to use your own encryption keys to protect user and application data residing on these volumes, OCI Vault provides a solution. OCI Vault allows you to create and manage your own encryption keys, giving you greater control over the security of your data.

Below are the steps to create a Vault.

Step1: Navigate to Identity & Security -->Key Management & Secret Management-->Vault

Step2: Click on Create Vault.

Step3: Choose the compartment and name for the vault and click create.

Step4: Vault is created.

Now once the vault is created then we have to create a key.

Step1: Click on the Create Key.

Step2: Choose the desired variables and create key.

When creating a key in OCI Vault, you have two options for the protection mode:

HSM (Hardware Security Module): Keys are stored and processed in a dedicated hardware security module, providing the highest level of security.

Software: Keys are stored and processed in software, offering flexibility and ease of use.

Additionally, you have three options for the key shape, but the most commonly used is AES (Advanced Encryption Standard)

Step3: Key is generated.

Rotate keys every quarter or every 6 months. This allows the New data to get encrypted with the new version of the keys. so the data will get more security and reliant.

Step1: Navigate to the vault. Go to the vault and key and click on three dots at the right end of the keys. Here click on the option to rotate keys.

Step2: Click on rotate.

Step3: Keys have been rotated successfully.

Step4: View the key deatils.

Step5: The old and new keys are displayed.

Now we have to attach the new key created by us to the block volume.

Step1: Go to our existing block volume and click on assign.

Step2: Now select the vault which we created and the key and assign it.

Step3: Error received.

We have got an error which clearly states that either we do not find kms key or lacks permission. But we have chosen the key which is created by us. This suggests that we are missing permission. To achieve this, we need to create a policy.

Step1: Navigate to policy.

Now we have to go to Identity and Security --> Policy --> Create Policy.

Step2: Create the policy.

Step3: Fill the desired and we will manully create policy builder.

Oracle Generic Policy

Allow service blockstorage, objectstorage-<region_name>, oke, streaming to use keys in compartment ABC where target.key.id = '<key_OCID>'

Our Edited Policy

Allow service blockstorage to use keys in compartment NP_Compute_Compartment

Step4: Policy has been successfully created.

Step5: Once the policy is created, now we have to try to assign the key to the block volume.

Step6: Keys have been successfully assigned to Block Volume.