Control: 5.3.1 Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)

Description

Oracle Cloud Infrastructure File Storage service (FSS) provides a durable, scalable, secure, enterprise-grade network file system. By default, the Oracle service manages the keys that encrypt FSS file systems. FSS file systems can also be encrypted using a customer managed key.

Encryption of FSS systems provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify FSS file systems that are encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain FSS file systems and then apply their own key lifecycle management to the selected FSS file systems.

Remediation

From Console

1. Follow the audit procedure above.
2. For each File Storage System in the returned results, click the File System Storage.
3. Click Edit next to Encryption Key.
4. Select Encrypt using customer-managed keys.
5. Select the Vault Compartment and Vault.
6. Select the Master Encryption Key Compartment and Master Encryption key.
7. Click Save Changes.

From CLI

1. Follow the audit procedure.
2. For each File Storage System identified get its OCID. Execute the following command:

oci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms keyOCID>