Oracle Cloud Infrastructure Documentation

Updating File System Encryption

File Storage with Lustre file systems use Oracle-managed keys to encrypt a file system by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in a file system using your own Vault encryption key.

To encrypt a file system with your own key, ensure that at least one key vault and key in the Vault service. For more information, see Overview of Vault.

Caution

Be sure to back up vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up and Restoring Vaults and Keys.

Required IAM Policy

File systems encrypted using your own key require the ability to read keys stored in Vault. File Storage with Lustre uses service principals to grant access to the Vault key.

Create IAM policies that give the services and users access to Vault keys:

allow service blockstorage to use keys in compartment <key_compartment_name> where target.key.id='<OCID_of_key>'
allow service lustrefs to use key-delegate in compartment <key_compartment_name> where target.key.id='<OCID_of_key>'
allow service lustrefs to read keys in compartment <key_compartment_name> where target.key.id='<OCID_of_key>'
allow group <user-group> to use key-delegate in compartment <key_compartment_name> where target.key.id='<OCID_of_key>'

For more information, see File Storage with Lustre Policies.

    1. On the Lustre file systems list page, find the file system that you want to work with. If you need help finding the list page, see Listing File Systems.
    2. From the Actions menu (Actions Menu) for the file system, select Edit encryption key.
    3. In the Edit encryption key panel, select how keys encrypting the file system are managed.
      • Use Oracle-managed keys: Select this option to leave all encryption-related matters to Oracle.
      • Use customer-managed keys: Select this option to encrypt the file system using a key of your own that's stored in OCI Vault. This lets you rotate, disable, and delete it as needed. After selecting this option, select the vault that contains the key, and the key itself.
    4. Select Update.

  • Use the oci lfs lustre-file-system update command and the --kms-key-id parameter to update a file system's encryption method:

    oci lfs lustre-file-system update --kms-key-id <encryption_key_OCID>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateLustreFileSystem operation with the kmsKeyId attribute to update a file system's encryption method.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.