Skip to main content


4.2.1 Encrypt Block Volumes with Customer Managed Keys (CMK) (Automated)


Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. It is also possible to encrypt Block Volumes using a customer managed key.

It is not possible to recover terminated Block Volumes, and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, this policy does not assess any Block Volumes in this state.


From Console:

  1. Login to the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type 'Advanced Resource Query' and press return.

  4. Click 'Advanced resource query'.

  5. Enter the following query in the query box:

    query volume resources
  6. Click Search.

  7. For each block volume returned, click the link under Display name.

  8. If the value for Encryption Key is 'Oracle-managed key', click Assign next to 'Oracle-managed key'.

  9. Select a Vault Compartment and Vault.

  10. Select a Master Encryption Key Compartment and Master Encryption Key.

  11. Click Assign.

From CLI:

  1. Execute the following command:

    for region in $(oci iam region list | jq -r '.data[] | .name')
    echo "Enumerating region $region"
    for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
    echo "Enumerating compartment $compid"
    for blockVolumeId in $(oci bv volume list --compartment-id $compartmentId --region $region 2>/dev/null | jq -r '.data[] | select(."kms-key-id" == null).id')
    output=$(oci bv volume get --volume-id $blockVolumeId --region $region --query=data.{"name:\"display-name\","id:id""} --output table 2>/dev/null)
    if [ ! -z "$output" ]; then echo $output; fi
  2. For each boot volume identified, get the Oracle Cloud Identifier (OCID).

  3. Execute the following command:

    oci bv volume-kms-key update -volume-id <volume OCID> --kms-key-id <kms key OCID>


Encrypting with a Customer Managed Key requires a Vault and a Customer Master Key. In addition, you must authorize the Block Volume service to use the keys you create.

Required Identity and Access Management (IAM) Policy:

Allow service blockstorage to use keys in compartment <compartment-id> where = '<key_ocid>'