10 ‐ OCI Vault Integration: Encrypt Boot & Block Volumes with Custom Keys - SanjeevOCI/Ocidocs GitHub Wiki

🔐 Using OCI Vault for Boot & Block Volume Encryption

Secure your compute resources by creating Vaults, managing Encryption Keys, and applying them to Boot and Block Volumes in OCI.

  1. Navigate to Search Menu --> Search for "Vault" --> Click on "Vault" option OR we can Navigate to Identity & Security --> Key Management & Secret Management.

Vault_Creation_1

Vault_Access

  1. Click on "Create Vault" to create the New Vault

Vault_Creation_2

Vault_Creation_3

Vault_Creation_4

Vault_Creation_5

2. Create Encryption keys in the Vault

Vault_Creation_6

Vault_Creation_7

Vault_Creation_8

3. Rotate the keys periodically

Rotate keys every quarter or every 6 months. This allows the New data to get encrypted with the new version of the keys. so the data will not get lost.

Vault_Creation_9

Rotate_keys_1

Rotate_keys_2

Rotate_keys_3

Rotate_keys_4

4. Encrypt Boot volume with Custom managed keys

  1. Navigate to Burger Menu --> Storage --> Boot Volumes --> Select the Boot Volume --> Click on Encryption Key --> Assign

Vault_Creation_10

Vault_Creation_11

Vault_Creation_15

  1. The above error indicates that the KMS key doesn't has the right permissions. In order to assign the encryption key to the Boot Volume, we need to create a policy to allow the Block Storage to use keys in the compartment(computecompartment) where the vault is located.

Encryption key access policy_1

Encryption key access policy_2

Encryption key access policy_3

Encryption key access policy_4

  1. Now that the policy has been created, we are able to assign the Encryption keys to the Boot volume

Assign_Encryption_key

Boot Volume Encrypted

5. Encrypt Block volume with Custom managed keys

  1. Navigate to Burger Menu --> Storage --> Block Volumes --> Select the Block Volume --> Click on Encryption Key --> Assign

Vault_Creation_12

Vault_Creation_13

Vault_Creation_14

Vault_Creation_15

The above error indicates that the KMS key doesn't has the right permissions. In order to assign the encryption key to the Boot Volume, we need to create a policy to allow the Block Storage to use keys in the compartment(computecompartment) where the vault is located

Encryption key access policy_5

Assign_Encryption_key

Block Volume Encrypted

6. We need to Rotate keys every quarter or every 6 months. This allows the New data to get encrypted with the new version of the keys. so the data will not get lost.

Vault_Creation_9

Rotate_keys_1

Rotate_keys_2

Rotate_keys_3

Rotate_keys_4

✅ Summary

In this lab, you learned to:

  • Create a Vault and encryption keys in OCI
  • Rotate keys periodically for security
  • Apply custom encryption keys to Boot and Block Volumes
  • Use policies to enable secure key usage by OCI services

This setup enhances security by giving you full control over data encryption, ensuring compliance and better key lifecycle management.