18_1 Overview

Data encryption at rest refers to the protection of data that is stored on a physical medium and is not actively being used or transmitted. This includes data stored on hard drives, solid-state drives, databases, and other storage devices. Encrypting data at rest ensures that if the storage media is accessed or stolen, the data remains protected and unreadable without the proper decryption keys.

Oracle Cloud Infrastructure (OCI) provides robust encryption mechanisms to ensure that data is secure and compliant with industry standards.

18_2: Key Features

1. Default Encryption OCI automatically encrypts all data at rest using the Advanced Encryption Standard (AES) with a 256-bit key length. This encryption is applied to all storage services, including block volumes, object storage, and file storage.

2. Customer-Managed Keys OCI allows customers to manage their own encryption keys using the OCI Vault service. This provides greater control over key management and rotation policies.

3. Transparent Data Encryption (TDE) For Oracle databases, OCI supports Transparent Data Encryption (TDE) to encrypt sensitive data stored in tablespaces and backups. TDE ensures that data is encrypted before it is written to disk and decrypted when read into memory.

4. Key Management OCI Vault provides a centralized key management service that integrates with other OCI services. It supports key creation, rotation, and lifecycle management, ensuring that encryption keys are securely managed.

5. Compliance OCI's encryption at rest capabilities help organizations meet various regulatory and compliance requirements, such as GDPR, HIPAA, and PCI-DSS.

18_3: How It Works

Block Volumes

All block volumes in OCI are encrypted by default using AES-256. This includes boot volumes and block storage volumes attached to compute instances. Encryption is transparent to the user and does not require any additional configuration.

Object Storage

Data stored in OCI Object Storage is encrypted using server-side encryption with AES-256. Users can also choose to encrypt data client-side before uploading it to Object Storage for an additional layer of security.

File Storage

OCI File Storage service encrypts all data at rest using AES-256. This ensures that any files stored in the file system are protected from unauthorized access.

Database Encryption

Oracle databases in OCI use Transparent Data Encryption (TDE) to encrypt data at rest. TDE encrypts the data files, redo logs, and backups, ensuring that sensitive information is protected.

18_4: Managing Encryption Keys

OCI Vault

OCI Vault is a managed service that provides centralized key management. It allows users to create and manage keys, set rotation policies, and control access to keys using IAM policies.

Key Rotation

OCI Vault supports automatic key rotation, ensuring that encryption keys are regularly updated to maintain security. Users can define rotation policies to specify the frequency of key rotation.

Access Control

Access to encryption keys is controlled using OCI Identity and Access Management (IAM) policies. This ensures that only authorized users and services can access and manage encryption keys.

18_5: Best Practices

1. Regularly rotate encryption keys to minimize the risk of key compromise.
2. Use customer-managed keys for greater control over key management and compliance.
3. Implement strict access controls using IAM policies to restrict access to encryption keys.
4. Monitor and audit key usage to detect any unauthorized access or anomalies.
5. Ensure compliance with relevant regulatory and industry standards by leveraging OCI's built-in encryption capabilities.