Using Your Own Master Key with Roving Edge Infrastructure Devices

Describes how to set up a user-provided KMS-based master key to manage secret information on Roving Edge Infrastructure devices.

By default, Oracle manages secret information on your Roving Edge Infrastructure devices, such as the superuser passphrase and unlock password, using a KMS-based master key. Oracle also employs a hardware security module to further protect this data. However, as an alternative to relying on Oracle's master key to manage this secret data, you can provide your own KMS-based master key from your own OCI tenancy.

Note

You can only provide your own master key when creating the node or cluster resource. You cannot edit an existing node or cluster resource to use your own master key the resource was originally created using an Oracle-provided master key.

Writing the Master Key Policy

To use your own master key, you must first write a policy that authorizes this capability using one of the following methods:

  • Using the Oracle Cloud Infrastructure Console:

    Create the following policy:

    allow service rover to use keys in compartment ID compartment-id where target.key.id = master-key-id

    where master-key-id is the master key OCID in the customer tenancy that is used to encrypt customer secret information like the superuser password and unlock passphrase. For example:

    allow service rover to use keys in compartment ID compartment-id where target.key.id = 'ocid1.key.region1..exampleuniqueID'
  • Using the CLI:

    Enter the following command:

    oci rover policy create-master-key-policy --master-key-id master_key_id --policy-compartment-id policy_compartment_id --policy-name policy_name

    For example:

    oci rover policy create-master-key-policy --master-key-id 'ocid1.key.region1..exampleuniqueID' --policy-compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --policy-name 'test-policy'

Selecting the Vault and Master Key

After you write the policy, select your vault and master key and the compartments in which they reside using one of the following methods:

  • Using the Oracle Cloud Infrastructure Console:

    When you create a Roving Edge Infrastructure node or cluster resource using the Create dialog box within the Oracle Cloud Infrastructure Console, the Encryption Key section appears. Here you can select one of the following options:

    • Encrypt using Oracle-managed keys: Choose to have key encryption managed by the Oracle Cloud Infrastructure service. No further action is required.

    • Encrypt using customer managed keys: Choose to provide your own encryption key.

      If you choose to provide your own key, the Encryption Key section displays the additional fields:

      • Vault Compartment: Select the compartment containing the vault you want from the list.

      • Vault: Select one of the vaults from the list contained within the vault compartment you previously chose.

      • Master Encryption Key Compartment: Select the compartment containing the master encryption key you want from the list.

      • Master Encryption Key: Select one of the master encryption keys from the list within the master encryption key value you previously chose.

  • Using the CLI:

    Include the master-key-id option when you create the Roving Edge Infrastructure node or cluster resource. For example:

    oci rover node create --display-name display_name --compartment-id compartment_id --shape shape --master-key-id master_key_id --policy-compartment-id policy_compartment_id --policy-name policy_name

    or

    oci rover standalone-cluster create --display-name display_name --compartment-id compartment_id --master-key-id master_key_id --policy-compartment-id policy_compartment_id --policy-name policy_name

    For example:

    oci rover node create --display-name 'test1' --compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --shape RED_GPU_1_RX1_40 --master-key-id 'ocid1.key.region1..exampleuniqueID' --policy-compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --policy-name 'test-policy'

After setting up the master key policy, RCS is invoked to validate access to the vault as part of creating the node or cluster.