Control: 4.2.2 Ensure boot volumes are encrypted with Customer Managed Key (CMK)

Description

When you launch a virtual machine (VM) or bare metal instance based on a platform image or custom image, a new boot volume for the instance is created in the same compartment. That boot volume is associated with that instance until you terminate the instance. By default, the Oracle service manages the keys that encrypt this boot volume. Boot Volumes can also be encrypted using a customer managed key.

Remediation

From Console

1. Login to OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advanced Resource Query and click enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query in the query box:

query bootvolume resources

6. For each boot volume returned click on the link under Display name.
7. Ensure Encryption Key does not say Oracle managed key.
8. Repeat for other subscribed regions.
9. For each Boot Volume in the returned results, click the Boot Volume name.
10. Click Assign next to Encryption Key.
11. Select the Vault Compartment and Vault.
12. Select the Master Encryption Key Compartment and Master Encryption key.
13. Click Assign.

From Command Line

1. Execute the following command:

for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for bvid in `oci search resource structured-search --region $region -- query-text "query bootvolume resources" 2>/dev/null | jq -r '.data.items[] | .identifier'`
    do
    output=`oci bv boot-volume get --boot-volume-id $bvid 2>/dev/null
    | jq -r '.data | select(."kms-key-id" == null).id'`
    if [ ! -z "$output" ]; then echo $output; fi
    done
  done

2. Ensure query returns no results.
3. For each boot volume identified get its OCID. Execute the following command:

oci os bucket update --bucket-name <bucket-name> --kms-key-id <masterencryption-key-id>