25.OCI ‐ Data Encryption at Rest in Oracle Cloud Infrastructure - pavankumarchittajallu/OCI_DOC GitHub Wiki

Step-by-Step Guide: Data Encryption at Rest in Oracle Cloud Infrastructure (OCI)

1. Understand Default Encryption

  • Automatic Encryption: All data stored in OCI—whether in block volumes, object storage, file storage, or databases—is automatically encrypted at rest using AES-256, an industry-standard encryption algorithm.
  • No Manual Enablement Needed: Encryption at rest is enabled by default and cannot be turned off for most OCI services.

2. Encryption Key Management Options

  • Oracle-Managed Keys: By default, OCI manages the encryption keys for you. This is the simplest option and requires no user intervention.
  • Customer-Managed Keys (CMK): For greater control, you can manage your own keys using the OCI Vault service. This allows you to create, rotate, and revoke encryption keys as needed.

3. Encrypting Data in Specific OCI Services

A. Block Volumes and Boot Volumes

  • Default: All data is encrypted at rest using Oracle-managed keys.
  • With Customer-Managed Keys:
    1. Create a vault and an encryption key in the OCI Vault service.
    2. Attach the key to your block volume during creation or update.
    3. Rotate or manage the key as needed using the Vault console or API.

B. Object Storage

  • Default: Each object is encrypted with its own data encryption key, which is encrypted with a master key assigned to the bucket.
  • Using Your Own Keys:
    1. Create a master encryption key in OCI Vault.
    2. Assign your key to the object storage bucket.
    3. Optionally, use the REST API or CLI to supply your own encryption keys for specific objects.

C. File Storage

  • Default: All file systems are encrypted at rest.
  • With Customer-Managed Keys:
    1. Create and manage encryption keys in OCI Vault.
    2. Assign the key to your file system when creating or updating it.

D. Databases

  • Transparent Data Encryption (TDE): Oracle databases in OCI use TDE for encrypting data at rest. You can use Oracle-managed keys or bring your own keys via OCI Vault.

4. Using OCI Vault for Key Management

  • Create a Vault: Navigate to the Vault service in the OCI Console and create a new vault.
  • Create Encryption Keys: Within the vault, generate or import encryption keys.
  • Assign Keys to Resources: When creating or updating storage or database resources, specify the encryption key from your vault.
  • Key Rotation: Regularly rotate keys for enhanced security. The Vault service supports scheduled and manual rotation

5. Monitoring and Compliance

  • Audit Logs: Monitor key usage and access through OCI audit logs.
  • Compliance: Encryption at rest in OCI helps meet compliance requirements for data security and privacy.

6. Best Practices

  • Use Customer-Managed Keys for Sensitive Data: For maximum control and compliance, manage your own keys with OCI Vault.
  • Rotate Keys Regularly: Set up key rotation policies to reduce risk.
  • Restrict Access: Limit access to keys and vaults using OCI Identity and Access Management (IAM) policies

7. Example Workflow: Encrypting a Block Volume with a Customer-Managed Key

  1. Create a Vault in the OCI Console.
  2. Generate an Encryption Key in the vault.
  3. Create or Update a Block Volume, selecting your customer-managed key.
  4. Attach the Volume to your compute instance.
  5. Monitor and Rotate Keys as needed through the Vault dashboard.

Summary:
OCI encrypts all data at rest by default using strong encryption. For advanced control, use the OCI Vault service to manage your own keys and integrate them with storage and database services. This approach ensures your data remains secure and compliant with industry standards.