Control: 5.2.1 Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)

Description

Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. Block Volumes can also be encrypted using a customer managed key.

Terminated Block Volumes cannot be recovered and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, any Block Volumes in this state should not be considered when assessing this policy.

Encryption of block volumes provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify block volumes encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain volumes and then apply their own key lifecycle management to the selected block volumes.

Remediation

From Console

1. Follow the audit procedure above.
2. For each block volume returned, click the link under Display name.
3. If the value for Encryption Key is Oracle-managed key, click Assign next to Oracle-managed key.
4. Select a Vault Compartment and Vault.
5. Select a Master Encryption Key Compartment and Master Encryption key.
6. Click Assign.

From CLI

1. Follow the audit procedure.
2. For each boot volume identified, get the OCID.
3. Execute the following command:

oci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms keyOCID>