Oracle Cloud Infrastructure Documentation

Encrypting a File System

File Storage file systems use Oracle-managed keys to encrypt a file system by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in a file system using your own Vault encryption key.

To encrypt a file system with your own key, ensure that the following prerequisites are met:

  • At least one key vault and key in the Vault service. For more information, see Overview of Vault.
    Caution

    Be sure to back up vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up and Restoring Vaults and Keys.

  • Set the permissions that allow the File Storage service to use keys.

Note

Only symmetric Advanced Encryption Standard (AES) keys are supported for file system encryption.

Required IAM Policy

File systems encrypted using your own key require the ability to read keys stored in Vault. File Storage uses resource principals to grant a specific set of file systems access to the Vault key. This is a two step process, first the file systems which need access must be put into a dynamic group, and then the dynamic group is granted access to read the keys.

  1. Create a dynamic group for the file systems with a rule such as the following:

    ALL { resource.type='filesystem', resource.compartment.id = '<file_system_compartment_OCID>' }
    Note

    If you have more than one rule in the dynamic group, ensure that you use Match any rules defined below option.

  2. Create an IAM policy that gives the dynamic group of file systems access to Vault keys:

    allow dynamic-group <dynamic_group_name> to use keys in compartment <key_compartment_name>
    1. Open the navigation menu and click Storage. Under File Storage, click File Systems.
    2. Under List scope, in the Compartment list, choose the compartment that contains the file system that you want to encrypt with a Vault master encryption key.
    3. From the list of file systems, click the file system name.
    4. On the file system's details page, next to Encryption key, click Edit.
    5. In the Edit Master encryption key dialog box, select Encrypt using customer-managed keys.
      Note

      If you assign a Vault key to a file system, you can later return the file system to using Oracle-managed keys for encryption by selecting Encrypt using Oracle-managed keys.
    6. Select the Vault Compartment, Vault, Master encryption key Compartment, and Master encryption key.
    7. Click Save changes.

  • Use the fs file-system update command and required parameters to encrypt the file system using the specified key:

    oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id <target_key_id>

    Leave the --kms-key-id value unspecified to use Oracle-managed keys for encryption:

    oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id ""

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateFileSystem operation to manage file system encryption.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.