How to Use Your Own Encryption Key for Data Encryption in Oracle Cloud

/ Amy Simpson-Grange

I have recently been posting a series of step-by-step posts which enable you to create a compartment, create a keyvault, create an object storage bucket and access an object storage bucket. You can read these posts here:

Whilst these are – hopefully – useful posts standalone, they were really to feed into this post about using your own encryption key for data encryption in Oracle Cloud. In this post, I will focus on securing object storage data with your own encryption key, but note that this content is still very relevant for other OCI services such as block, object or file services or Oracle’s platform solutions such as databases, analytics, etc.

By default, OCI/Oracle automatically manages the keys that are used to encrypt and secure your data on the OCI platform.. this makes things a little simpler – you know your data is secure, so you don’t need to worry about it. However, there may be requirements to use customer-managed encryption keys. We will explore how in the post.

How is data encrypted in OCI?

If you would like to understand a brief overview of how data is encrypted in Oracle Cloud Infrastructure (OCI), this following post provides a useful overview: How Oracle Cloud Infrastructure (OCI) helps you protect data with default encryption

TLDR; Ultimately, OCI Object Storage is encrypting data and metadata using “Data Encryption Keys” (DEKs) which are randomly generated keys that are encrypted by “Master Encryption Keys” (MEKs)

This method of encryption is often referred to as “Envelope Encryption” and you can read more about it here: Envelope encryption

TLDR; Envelope Encryption is the practice of encrypting data with a data key, and then encrypting the data key with another key (e.g, a master key). 

Securing an Object Storage Bucket with Customer-Managed Key

In Oracle Cloud Infrastructure (OCI) Object Storage, it is possible to enable the encryption of your buckets either at the time of provisioning or on existing buckets by using encryption keys that are managed in OCI Vault. In order to perform activities of this nature in the Oracle Cloud Console, you will need administrative permissions in Oracle Identity and Access Management (IAM) – these can be set using policies.

Creation of a New Bucket with Customer-Managed Key

To create a new object storage bucket with encryption using a customer-managed key, use for the following steps:

Step 1: Log into your Oracle Cloud account (free tier is suitable)

Step 2: Follow the steps documented in my post, Creating a KeyVault in Oracle Cloud, to created a KeyVault.

Step 3: Follow the steps documented in my post, Creating a KeyVault in Oracle Cloud, to created a Master Encryption Key (MEK) in the newly created KeyVault

Step 4: Log into your Oracle Cloud account (free tier is suitable)

Step 5: Click on the menu icon (often referred to as “Hamburger” or “Pancake Stack” icon)

Step 6: In order to enable the use of your customer-managed key in Object Storage, you need to add a policy (It will not be possible to select your key when creating/updating your bucket without setting the policy).

Click “Identity & Security” and then select “Policies”

Step 7: You will be presented with the policy management screen. Select the compartment in which you would like to create the policy. (If you haven’t got any compartments and you don’t want to use your root compartment, take a look at my post: Creating a Compartment in Oracle Cloud).

When you have selected the compartment that you want to create your policy in, click “Create Policy”

Step 8: Provide basic information for the creation of the policy, then add the policy itself (you can do this with the policy builder or by using the manual editor as I have done in the screenshot below.

The policy added is: Allow service objectstorage-uk-london-1 to use keys in compartment asgdemo-compartment


Here I am providing blanket access for object storage to all keys in my compartment (in a non-demo environment I would recommend that you specify the exact key by including where target.key.id = <key_id>)

You will also note that I have qualified the object storage service with the region details, this is because Object storage is a regional service therefore, you will need to qualify with the region that you are working in. For other services (e.g, blockstorage this is not necessary).

Once done, click “Create”

Step 9: Click on the menu icon (often referred to as “Hamburger” or “Pancake Stack” icon) Select “Storage” and then Select “Buckets” – we can now create a bucket with the key we created

Step 7: You will be presented with the Bucket management screen. Select the compartment in which you would like to create a bucket (If you haven’t got any compartments and you don’t want to use your root compartment, take a look at my post: Creating a Compartment in Oracle Cloud).

When you have selected the compartment that you want to create your bucket in, click “Create Bucket”

Step 8: Provide basic information for the bucket creation – make sure that you scroll down to select “Encrypt using customer-managed key”. Had we not set the policy in the previous step, we would not see the available keys in the list of values. Once done, click “Create”.

Step 9: The bucket will be provisioned, click on the bucket name to access the bucket

Step 10: You will be presented with the bucket details screen. Here you will be able to view the objects stored within the bucket.

Update an Existing Bucket with Customer-Managed Key

Step 1: Log into your Oracle Cloud account (free tier is suitable)

Step 2: Follow the steps documented in my post, Creating a KeyVault in Oracle Cloud, to created a KeyVault.

Step 3: Follow the steps documented in my post, Creating a KeyVault in Oracle Cloud, to created a Master Encryption Key (MEK) in the newly created KeyVault

Step 4: Log into your Oracle Cloud account (free tier is suitable)

Step 5: Click on the menu icon (often referred to as “Hamburger” or “Pancake Stack” icon)

Step 6: In order to enable the use of your customer-managed key in Object Storage, you need to add a policy (It will not be possible to select your key when creating/updating your bucket without setting the policy).

Click “Identity & Security” and then select “Policies”

Step 7: You will be presented with the policy management screen. Select the compartment in which you would like to create the policy. (If you haven’t got any compartments and you don’t want to use your root compartment, take a look at my post: Creating a Compartment in Oracle Cloud).

When you have selected the compartment that you want to create your policy in, click “Create Policy”

Step 8: Provide basic information for the creation of the policy, then add the policy itself (you can do this with the policy builder or by using the manual editor as I have done in the screenshot below.

The policy added is: Allow service objectstorage-uk-london-1 to use keys in compartment asgdemo-compartment


Here I am providing blanket access for object storage to all keys in my compartment (in a non-demo environment I would recommend that you specify the exact key by including where target.key.id = <key_id>)

You will also note that I have qualified the object storage service with the region details, this is because Object storage is a regional service therefore, you will need to qualify with the region that you are working in. For other services (e.g, blockstorage this is not necessary).

Once done, click “Create”

Step 9: Click on the menu icon (often referred to as “Hamburger” or “Pancake Stack” icon) Select “Storage” and then Select “Buckets” – we can now create a bucket with the key we created

Step 10: You will be presented with the Bucket management screen. Select the compartment in which you would like to update a bucket (If you haven’t got any compartments and you don’t want to use your root compartment, take a look at my post: Creating a Compartment in Oracle Cloud).

When you have selected the compartment select the “3-dot” / “Kebab” icon next to the bucket that you want to update and click “View Bucket Details”

Step 11: You will be presented with the bucket details screen. Here you will be able to view the objects stored within the bucket and edit the bucket. The details will list the encryption key in use – for this bucket you will see that I have an “Oracle Managed Key”. Click “Assign”

Step 12: Now you can select the key that we created in earlier steps and click “Assign”. This is available due to the policies that we set in earlier steps.

Step 13: Now, you can see the key that the bucket is using a customer managed key.

Should you Choose to Encrypt Data in OCI with your own Key?

This is a decision that can only be made with a full understanding of the environment and requirements with which you are working. Data encryption mechanisms can be a complex topic to understand deeply and therefore, introducing customer-managed encryption mechanisms will add an additional layer of complexity to your implementation. Not least, opting for customer-managed keys will introduce a level of operational overhead which needs to be carefully managed, governed and controlled.

When deciding to introduce customer-managed keys, remember to consider all aspects including the efforts needed for management of the keys, rotation of the keys, storage of the keys, key policies, etc.

This is not to say that you shouldn’t opt to manage your own keys… only urging you to access carefully it is needed given the robust out of the box default capabilities that Oracle Cloud Infrastructure is providing. Clearly there might be a factor which enforces the need to manage your own keys, e.g, regulatory compliance in a secure sector such as banking.

Note 1: The details in this post assume that you already have an Oracle Cloud free tier (or upgraded!) account. If you don’t you can get one here.
Note 2: Given the regular release schedule present in Oracle Cloud, it is possible that the screens may change somewhat beyond the writing of this post. If this happens, please comment on this post and I will try to help you out. (and update this post!)

Leave a comment