Encrypting a File System

File Storage file systems use Oracle-managed keys to encrypt a file system by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in a file system using your own Vault encryption key.

To encrypt a file system with your own key, ensure that the following prerequisites are met:

  • At least one key vault and key in the Vault service. For more information, see Overview of Vault.
    Caution

    Be sure to back up vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up and Restoring Vaults and Keys.
  • Set the permissions that allow the File Storage service to use keys. For example:

    Allow service <file_storage_service_user> to use keys in compartment <compartment_name>

    The name of the File Storage service user depends on your realm . For realms with realm key numbers of 10 or less, the pattern for the File Storage service user is FssOc<n>Prod, where n is the realm key number. Realms with a realm key number greater than 10 have a service user of fssocprod. For more information about realms, see About Regions and Availability Domains.

    For more information about permissions, see Common Policies.

Note

Only symmetric Advanced Encryption Standard (AES) keys are supported for file system encryption.
    1. Open the navigation menu and click Storage. Under File Storage, click File Systems.
    2. Under List scope, in the Compartment list, choose the compartment that contains the file system that you want to encrypt with a Vault master encryption key.
    3. From the list of file systems, click the file system name.
    4. On the file system's details page, next to Encryption key, click Edit.
    5. In the Edit Master encryption key dialog box, select Encrypt using customer-managed keys.
      Note

      If you assign a Vault key to a file system, you can later return the file system to using Oracle-managed keys for encryption by selecting Encrypt using Oracle-managed keys.
    6. Select the Vault Compartment, Vault, Master encryption key Compartment, and Master encryption key.
    7. Click Save changes.
  • Use the fs file-system update command and required parameters to encrypt the file system using the specified key:

    oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id <target_key_id>

    Leave the --kms-key-id value unspecified to use Oracle-managed keys for encryption:

    oci fs file-system update --file-system-id <file_system_OCID> --kms-key-id ""

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Run the UpdateFileSystem operation to manage file system encryption.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.