Use full-disk encryption (FDE)

When an instance is launched on Oracle Cloud, its disk (“boot volume”) is encrypted by default using an Oracle managed key. Disk encryption is enabled by default and cannot be turned off. Any other disks added to expand an instance’s storage are also encrypted by default.

If needed, you can also use your own key to encrypt the disks, as described in this guide.

Prerequisites

You’ll need:

  • a compartment to create the instance in.

  • (optional) a Virtual Cloud Network (VCN) to create the instance in. If you don’t have one already, you can create a new VCN when you create the instance.

  • a vault with encryption keys to use for boot volume encryption. This is only necessary if you wish to use your own encryption key for FDE.

Create an instance with personalised FDE

While creating a new instance using Compute > Instances > Create instance, under Image and shape select Change image > Ubuntu. Then choose the desired Ubuntu release and image build.

An Oracle managed key is used by default to encrypt the boot volume. To use your own key, under the advanced options in Boot volume select Encrypt this volume with a key that you manage and follow the instructions described in Oracle’s documentation about using your own keys.

../../_images/1_own_key_encryption.png

Additionally, if you enable Use in-transit encryption, the data moving between the instance and the block volume will also be encrypted.

Change the encryption key (optional)

The encryption key for a boot volume can also be changed after it has been created. To do that navigate to the instance details page and under Resources, select Boot volume. From the list of available boot volumes, browse to the details of the one that you want to modify. It should look similar to:

../../_images/2_boot_volume_details.png

Locate Encryption key, select Edit or Assign (the label depends on whether a key is already assigned to the volume or not) and put in the details for the new key.

For more options on how to do this, refer to Oracle’s documentation for editing a block volume’s key.

Further references

For more information about encryption on Oracle Cloud, refer to the Oracle Cloud documentation: