Oracle Cloud Infrastructure Documentation

Changing the Assigned Master Encryption Key

Change the assigned key for a Block Volume resource, such as a volume or volume backup. You can assign a customer-managed key or an Oracle-managed key. When you change the key, the data key is re-encrypted. (The content of the resource isn't re-encrypted for a key change.)

See also Update a Key to a Block Volume.

Requirements

Customer-Managed Encryption Keys for Cross-Region Operations

Vault encryption keys for volumes aren't copied to the destination region for scheduled volume and volume group backups enabled for cross-region copy. Instead, you can specify a Vault encryption key for the backup copied to the destination region when you assign the backup policy. When you assign the backup policy, if it's enabled for cross region backup copies, select Encrypt using customer-managed keys for Cross region backup copy encryption to encrypt the volume or volume group backup in the destination region. If you select this option, you must specify the OCID for a valid encryption key in the destination region, see for more information.

When you specify a customer-managed encryption key for cross-region operations, ensure the following:

If you don't specify a customer-managed encryption key for cross-region operations, an Oracle-managed encryption is used by default. These requirements don't apply to Oracle-managed encryption keys.

Cross-Region Backup Copies

When you manually copy a volume backup between regions you can use the Oracle-managed key or your own encryption key. When you assign a backup policy with cross-region backup copies enabled to a volume or volume group, or perform a manual backup cross region copy, you can optionally select Encrypt using customer-managed keys for Cross region backup copy encryption to encrypt the volume backup in the destination region. If you select this option, you must specify the OCID for a valid encryption key in the destination region.

See also Customer-Managed Encryption Keys for Cross-Region Operations.

    1. Find the resource that you want to work with.
      For example, for a block volume backup, go to the Block Volume Backups list page. If you need help finding the list page or the block volume backups, see Listing Volume Backups.
    2. From the Actions menu (three dots) for the resource, select Assign master encryption key.
      This option is available for volumes and volume backups.
      The Assign master encryption key panel opens.
    3. Select the vault compartment, vault, key compartment, and key.
    4. When you're finished, select Assign or Update, as appropriate.

  • Use the relevant resource-specific command and required parameters to assign a master encryption key.

    For example, for a block volume backup, use oci bv backup update.

    • Example 1: Customer-managed key:
      oci bv backup update --backup-id=<backup_ID> --kms-key-id=<key_ID>
    • Example 2: Oracle-managed key (empty string for the key ID):
      oci bv backup update --backup-id=<backup_ID> --kms-key-id=''

    For a volume, use oci bv volume-kms-key update.

    oci bv volume-kms-key update --volume-id=<volume_ID> --kms-key-id=<key_ID>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the relevant resource-specific operation to assign a master encryption key.

    For example, for a block volume backup, run the UpdateVolumeBackup operation and specify the encryption key OCID in the kmsKeyId attribute.

    For a volume, run the UpdateVolumeKmsKey operation and specify the encryption key OCID in the kmsKeyId attribute.