Oracle Cloud Infrastructure Documentation

Using Your Own Master Key with Roving Edge Infrastructure Devices

Learn how to set up a user-provided KMS-based master key to manage secret information on Roving Edge Infrastructure devices.

Important

For Roving Edge devices that are self-provisioned, you manage the master key passphrase, and all passwords, and the recover key. Store the passphrase, password, and recovery key in a secure place such as OCI Vault. If you forget the unlock passphrase and the recovery key, Oracle can't help you recover the device, and the device must be replaced.

On older Roving Edge devices (devices provisioned by Oracle), Oracle manages secret information on your Roving Edge Infrastructure devices, such as the superuser passphrase and unlock password, using a KMS-based master key. Oracle also uses a hardware security module to further protect this data. However, as an alternative to relying on Oracle's master key to manage this secret data, you can provide your own KMS-based master key from your own OCI tenancy.

Note

You can only provide your own master key when creating the node resource. You can't edit an existing node resource to use your own master key the resource was originally created using an Oracle-provided master key.

Writing the Master Key Policy

To use your own master key, you must first write a policy that authorizes this capability using one of the following methods:

  • Using the Oracle Cloud Infrastructure Console:

    Create the following policy:

    allow service rover to use keys in compartment ID compartment-id where target.key.id = master-key-id

    where master-key-id is the master key OCID in the customer tenancy that is used to encrypt customer secret information like the superuser password and unlock passphrase. For example:

    allow service rover to use keys in compartment ID compartment-id where target.key.id = 'ocid1.key.region1..exampleuniqueID'

  • Using the CLI:

    Enter the following command:

    oci rover policy create-master-key-policy --master-key-id master_key_ocid --policy-compartment-id policy_compartment_ocid --policy-name policy_name

    For example:

    oci rover policy create-master-key-policy --master-key-id 'ocid1.key.region1..exampleuniqueID' --policy-compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --policy-name 'test-policy'

Selecting the Vault and Master Key

After you write the policy, select your vault and master key and the compartments in which they reside using one of the following methods:

  • Using the Oracle Cloud Infrastructure Console:

    When you create a Roving Edge Infrastructure node resource using the Create dialog box within the Oracle Cloud Infrastructure Console, the Encryption Key section appears. Here you can select one of the following options:

    • Encrypt using Oracle-managed keys: Choose to have key encryption managed by the Oracle Cloud Infrastructure service. No further action is required.

    • Encrypt using customer managed keys: Choose to provide your own encryption key.

      If you choose to provide your own key, the Encryption Key section displays the additional fields:

      • Vault Compartment: Select the compartment containing the vault you want from the list.

      • Vault: Select one of the vaults from the list contained within the vault compartment you previously chose.

      • Master Encryption Key Compartment: Select the compartment containing the master encryption key you want from the list.

      • Master Encryption Key: Select one of the master encryption keys from the list within the master encryption key value you previously chose.

  • Using the CLI:

    Include the master-key-id option when you create the Roving Edge Infrastructure node resource. For example:

    oci rover node create --display-name display_name --compartment-id compartment_ocid --shape shape --master-key-id master_key_ocid --policy-compartment-id policy_compartment_ocid --policy-name policy_name

    For example:

    oci rover node create --display-name 'test1' --compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --shape RED.2.56.GPU --master-key-id 'ocid1.key.region1..exampleuniqueID' --policy-compartment-id 'ocid1.tenancy.region1..exampleuniqueID' --policy-name 'test-policy'

After setting up the master key policy, RCS is invoked to validate access to the vault as part of creating the node.