Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Lustre File Systems Encrypted with Customer-Managed Keys

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-FileStorage-010

Ensure that your Oracle Cloud Infrastructure (OCI) Lustre file systems are encrypted with Customer-Managed Keys (CMKs) instead of Oracle-managed keys (i.e. default keys used by OCI for encryption at rest) in order to have a more granular control over your data encryption and decryption process.

Security

In Oracle Cloud Infrastructure (OCI), encryption at rest protects your Lustre file systems and assists in fulfilling your organization's security and compliance requirements. By default, the File Storage with Lustre service encrypts all file system data at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit keys. The encryption process uses Oracle-managed keys, also known as service-managed keys. However, to meet stringent regulatory standards, you can bring your own keys (i.e. Customer-Managed Keys) in order to fully control who can use the encryption keys and access the encrypted data.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) Lustre file systems are encrypted using Customer-Managed Keys (CMKs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Lustre File Storage console available at https://cloud.oracle.com/lfs/.

  3. In the left navigation panel, choose Lustre file systems, and select an OCI compartment from the Compartment dropdown menu, to list the Lustre file systems provisioned in that compartment.

  4. Click on the name (link) of the Lustre file system that you want to examine, listed in the Name column.

  5. Select the Lustre file system information tab, and check the Encryption key attribute value, listed in the Encryption key section. If Encryption key is set to Oracle-managed key, encryption at rest using Customer-Managed Keys (CMKs) is not enabled for the selected Oracle Cloud Infrastructure (OCI) Lustre file system.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run lfs lustre-file-system-collection list-lustre-file-systems command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Lustre file system provisioned in the selected OCI compartment:

    oci lfs lustre-file-system-collection list-lustre-file-systems
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--all
	--query 'data."items"[]."id"'

  4. The command output should return the requested file system IDs:

    [
	"ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.lustrefilesystem.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run lfs lustre-file-system get command (Windows/macOS/Linux) with the name of the Lustre file system that you want to examine as the identifier parameter and custom output filters to determine if encryption at rest using Customer-Managed Keys (CMKs) is enabled for the selected file system:

    oci lfs lustre-file-system get
	--lustre-file-system-id 'ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.{"kms-key-id":"kms-key-id"}'

  6. The command output should return the ID of the Customer-Managed Key (CMK) configured for the selected file system:

    {
	"kms-key-id": null
}

    If the lfs lustre-file-system get command output returns null for the "kms-key-id" attribute value, as shown in the output example above, encryption at rest using Customer-Managed Keys (CMKs) is not enabled for the selected Oracle Cloud Infrastructure (OCI) Lustre file system.

Remediation / Resolution

To enable encryption at rest for your Oracle Cloud Infrastructure (OCI) Lustre file systems using Customer-Managed Keys (CMKs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms.

  3. In the left navigation panel, choose Vault, and select the OCI compartment where you want to deploy the new Vault, from the Compartment dropdown menu.

  4. Choose Create Vault and perform the following actions to create the OCI Vault that will store your new Customer-Managed Key (CMK):

    1. For Create in Compartment, select the appropriate OCI compartment.
    2. For Name, enter a unique name for the new Vault.
    3. (Optional) Check the Make it a virtual private vault setting checkbox if you want a dedicated partition in a Hardware Security Module (HSM).
    4. (Optional) Choose Show advanced options and use the Tag key and Tag value fields to improve resource management by adding tags.
    5. Choose Create Vault to deploy your new OCI Vault.

  5. Once the Vault deployment is complete, click on the name (link) of the new OCI Vault instance, listed in the Name column.

  6. In the Resources navigation panel, select Master Encryption Keys, choose Create Key, and perform the following actions to create the Customer-Managed Key (CMK) required for file system encryption:

    1. For Create in Compartment, select the appropriate OCI compartment.
    2. For Protection Mode, choose the suitable protection mode for your key. The protection mode indicates how the key persists and where cryptographic operations that use the key are performed. Choose HSM to store and process the key on a Hardware Security Module (recommended for use cases with stringent compliance requirements) or Software to store and process the key on a server (recommended for most use cases). For more details about key protection modes, see the OCI official documentation.
    3. For Name, enter a unique name for the new encryption key.
    4. For Key Shape: Algorithm and Key Shape: Length, choose AES (Symmetric key used for Encrypt and Decrypt) with 256 bits.
    5. (Optional) Choose Show advanced options and use the Tag key and Tag value fields to add tags to organize your resource.
    6. Choose Create Key to generate your new encryption key.

  7. Once your new Customer-Managed Key (CMK) is available, navigate to Lustre File Storage console available at https://cloud.oracle.com/lfs/.

  8. In the left navigation panel, choose Lustre file systems, and select an OCI compartment from the Compartment dropdown menu, to list the Lustre file systems provisioned in that compartment.

  9. Click on the name (link) of the Lustre file system that you want to configure, listed in the Name column.

  10. Select More actions from the page top menu, choose Edit encryption key, and provide the following information:

    1. Choose Encrypt using customer-managed keys.
    2. For Vault in \<compartment-name\>, select the name of the OCI Vault created in step no. 4.
    3. For Encryption key in \, select the name of the Customer-Managed Key created in step no. 6.
    4. Choose Update to apply the Customer-Managed Key (CMK) key to your Lustre file system.

Using OCI CLI

  1. Run kms management vault create command (Windows/macOS/Linux) to create the OCI Vault that will store your new KMS Customer-Managed Key (CMK):

    oci kms management vault create
	--display-name 'cc-project5-oci-vault'
	--vault-type 'DEFAULT'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

  2. The command output should return the configuration information available for the new OCI Vault:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": null,
		"defined-tags": {},
		"display-name": "cc-project5-oci-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {},
		"id": "ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"is-primary": true,
		"is-vault-replicable": null,
		"lifecycle-state": "CREATING",
		"management-endpoint": null,
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-of-deletion": null,
		"vault-type": "DEFAULT",
		"wrappingkey-id": ""
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

  3. Run kms management vault get command (Windows/macOS/Linux) to describe the management endpoint configured for the OCI Vault created in the previous steps:

    oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."management-endpoint"'

  4. The command output should return the URL of the management endpoint configured for the selected Vault:

    "https://abcd1234abcda-management.kms.ap-sydney-1.oraclecloud.com"

  5. Run kms management key create command (Windows/macOS/Linux) to create a new KMS Customer-Managed Key (CMK) for your OCI Vault. For --key-shape parameter, specify the key shape algorithm and length. For --protection-mode parameter, specify the suitable protection mode for your key. For the --endpoint parameter, specify the OCI Vault management endpoint returned in the previous step:

    oci kms management key create
	--display-name 'cc-project5-kms-key'
	--key-shape '{"algorithm":"AES","length":32}'
	--protection-mode 'SOFTWARE'
	--endpoint 'https://abcd1234abcda-management.kms.ap-sydney-1.oraclecloud.com'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."id"'

  6. The command output should return the configuration information available for the new KMS key:

    "ocid1.key.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"

  7. Run lfs lustre-file-system update command (Windows/macOS/Linux) with the name of the Lustre file system that you want to configure as the identifier parameter, to enable encryption at rest with KMS Customer-Managed Keys (CMKs) for the selected file system. For the --kms-key-id parameter, specify the ID of your Customer-Managed Key, returned in the previous step:

    oci lfs lustre-file-system update
	--lustre-file-system-id 'ocid1.lustrefilesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--kms-key-id 'ocid1.key.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

  8. The command output should return the configuration information available for the modified file system:

    {
	"data": {
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"capacity-in-gbs": 31200,
		"cluster-placement-group-id": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-lustrefs",
		"file-system-description": null,
		"file-system-name": "lustrefs",
		"freeform-tags": {},
		"id": "ocid1.lustrefilesystem.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"kms-key-id": "ocid1.key.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-details": null,
		"lifecycle-state": "CREATING",
		"lnet": null,
		"maintenance-window": null,
		"major-version": "2.15",
		"management-service-address": null,
		"nsg-ids": [
		"ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
		],
		"performance-tier": "MBPS_PER_TB_125",
		"root-squash-configuration": {
		"client-exceptions": null,
		"identity-squash": "NONE",
		"squash-gid": null,
		"squash-uid": null
		},
		"subnet-id": "ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"system-tags": {},
		"time-billing-cycle-end": null,
		"time-created": "2025-11-07T17:09:40.274000+00:00",
		"time-updated": "2025-11-07T17:09:54.201000+00:00"
	}
}

References

Publication date Nov 12, 2025

Related OCI-FileStorage rules