Encrypt Block Volume with Customer-Managed Keys in OCI

This guide walks you through the process of encrypting an Oracle Cloud Infrastructure (OCI) Block Volume with a Customer-Managed Key (CMK) stored in OCI Vault. Encryption at rest is enabled by default on all volumes, but using a customer-managed key provides improved control and compliance. :contentReference[oaicite:0]{index=0}

---

Prerequisites

Before starting, ensure you have:

1. An OCI tenancy with necessary permissions (Vault and Block Volume access).
2. A Vault and a Customer-Managed Key created in OCI Vault.
3. IAM policies that grant the Block Storage service permissions to use the key.

Example IAM policy to allow Block Storage to use keys:

---

1. Navigate to Burger Menu --> Storage --> Block Volumes --> Select the Block Volume --> Click on Encryption Key --> Assign

The above error indicates that the KMS key doesn't has the right permissions. In order to assign the encryption key to the Boot Volume, we need to create a policy to allow the Block Storage to use keys in the compartment(computecompartment) where the vault is located