Creating a Secure Block Volume

This topic describes how to use Security Advisor to create a secure block volume. In this context, a secure block volume is one that is encrypted with a customer-managed key and therefore meets minimum security requirements established by security zones. The process involves creating not only the block volume, but also the Vault key that you want to use to encrypt the volume, and then assigning the key to the volume. (You cannot use Security Advisor to assign existing encryption keys, but you can use an existing vault to create a new key.)

Using Security Advisor to create a block volume comes with some limitations. You cannot use Security Advisor to create a block volume with a backup policy. See Policy-Based Backups for more information about backup policies.

Other security considerations exist outside Security Advisor, particularly regarding the use of resources after you create them. We strongly encourage you to learn more about Oracle Cloud Infrastructure Compute and Oracle Cloud Infrastructure Block Volume security features and best practices, and then implement them with your newly created resources. For more information, see Securing Compute, Securing Block Volume, and Best Practices for Your Compute Instance.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators:

  • The following policy lets the specified group do everything with block storage volumes, volume backups, and volume groups in the specified compartment:
    Allow group CreateSecureBlockVolumeGroup to manage volume-family in compartment CompartmentABC
  • The following policy lets the specified group do everything with vaults in the specified compartment, which might not be the same compartment as the volume compartment. (If you prefer, you can write a policy that grants the use vaults permission instead. With that permission, the specified group can use existing vaults, but cannot create new ones.)
    Allow group CreateSecureBlockVolumeGroup to manage vaults in compartment CompartmentDEF
  • The following policy lets the specified group do everything with keys in the specified compartment, which must be the same compartment as the vault compartment:
    Allow group CreateSecureBlockVolumeGroup to manage keys in compartment CompartmentDEF
  • The following policy lets the Block Volume service list, view, and perform cryptographic operations with all keys in the specified compartment:
    Allow service blockstorage to use keys in compartment CompartmentDEF

For more information about how policies work, see How Policies Work.

Using the Console

To create a secure block volume

  1. Open the navigation menu, click Identity & Security, and then click Security Advisor.
  2. Click Create Secure Bucket.
  3. Review the prerequisites for getting started, and then click Next when you're ready.
  4. Do one of the following:
    • To create a master encryption key in an existing vault, click Choose existing vault.
    • To create a master encryption key in a new vault click Create new vault.
  5. Then, do one of the following:
    • If you chose to use an existing vault in the previous step, choose the compartment where the vault resides, and then choose the vault.
    • If you chose to create a new vault in the previous step, choose the compartment where you want to create the vault, and then enter a display name to identify the vault. Avoid entering confidential information. Optionally, make the vault a virtual private vault by selecting the Make it a virtual private vault check box. For more information about vault types, see Key and Secret Management Concepts.
    When you're ready, click Next.
  6. Click Key Name, and then enter a name to identify the key. Avoid entering confidential information.
  7. Regarding Key Shape: Length, the key length value is fixed at 256 bits to maximize security based on key length.
  8. Optionally, if you want to import key material to create a key, select the Import external key check box. Importing key material requires you to first generate the key material and wrap it using a vault's public wrapping key. This means that you cannot use Security Advisor to create a key using imported key material without an existing vault. For more information about importing keys, see Importing Keys and Key Versions.
  9. Optionally, to apply tags, click Show Tagging Options. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator. When you're ready, click Next.
  10. On the Create Block Volume page, specify the attributes of the volume:
    • Block Volume Name: A user-friendly name or description. Avoid entering confidential information.
    • Compartment: The compartment where you want to create the volume.
    • Availability Domain: Must be in the same availability domain as the instance you plan to use this block volume with.
    • Volume Size and Performance: The volume size must be between 50 GB and 32 TB. You can choose in 1 GB increments within this range. The default is 1024 GB. If you choose a size outside of your service limit, you may be prompted to request an increase. For more information, see Service Limits. The default level for performance settings is Balanced. See Block Volume Performance for more information about volume performance levels.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
    When you're ready, click Next.
  11. Review the summary of the resources that Security Advisor will create, and then click Create Secure Block Volume.