Control: 5.2.2 Ensure boot volumes are encrypted with Customer Managed Key (CMK)

Description

When you launch a virtual machine (VM) or bare metal instance based on a platform image or custom image, a new boot volume for the instance is created in the same compartment. That boot volume is associated with that instance until you terminate the instance. By default, the Oracle service manages the keys that encrypt this boot volume. Boot Volumes can also be encrypted using a customer managed key.

Encryption of boot volumes provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify boot volumes encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain boot volumes and then apply their own key lifecycle management to the selected boot volumes.

Remediation

From Console

1. Follow the audit procedure above.
2. For each Boot Volume in the returned results, click the Boot Volume name.
3. Click Assign next to Encryption Key.
4. Select the Vault Compartment and Vault.
5. Select the Master Encryption Key Compartment and Master Encryption key.
6. Click Assign.

From CLI

1. Follow the audit procedure.
2. For each boot volume identified get its OCID. Execute the following command:

oci bv boot-volume-kms-key update --boot-volume-id <Boot Volume OCID> --kms-key-id <KMS Key OCID>