Remediation

Encrypt the Block Volume with a Customer Managed Key

Configure the affected block volume to use a customer managed key from OCI Vault. Before applying the change, confirm that the target key is enabled and that the Block Volume service has permission to use it.

From Oracle Cloud Console

Follow the audit procedure in the policy description to identify affected block volumes.
For each affected block volume, click the link under Display name.
If Encryption Key is set to Oracle-managed key, click Assign next to Oracle-managed key.
Select the target Vault compartment and Vault.
Select the target master encryption key compartment and master encryption key.
Click Assign.
Confirm that Encryption Key shows the intended customer managed key.

From OCI CLI

Assign a customer managed key to the existing block volume:

oci bv volume-kms-key update \
    --volume-id {{volume-ocid}} \
    --kms-key-id {{kms-key-ocid}}

When creating a new block volume, specify the customer managed key at creation:

oci bv volume create \
    --compartment-id {{compartment-ocid}} \
    --availability-domain {{availability-domain}} \
    --display-name {{volume-name}} \
    --size-in-gbs {{size-in-gbs}} \
    --kms-key-id {{kms-key-ocid}}

After remediation, verify that the volume references the intended key:

oci bv volume get \
    --volume-id {{volume-ocid}} \
    --query "data.\"kms-key-id\""

Encrypt the Block Volume with a Customer Managed Key​

From Oracle Cloud Console​

From OCI CLI​

Encrypt the Block Volume with a Customer Managed Key

From Oracle Cloud Console

From OCI CLI