Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable In-Transit Encryption

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that encryption of data in transit between the OCI instance, the boot volume, and the block volume(s) is enabled for all Oracle Cloud Infrastructure (OCI) compute instances in order to protect sensitive data from interception and maintain compliance with regulatory and organizational requirements.

Security

The data transmitted between the OCI compute instance and the associated disk volumes is delivered over a secure internal network. However, if you have specific compliance requirements related to the encryption of the data while in transit between the instance and the attached volumes, it is strongly recommended to enable in-transit encryption for all the disk volumes attached to your OCI compute instances.

The list of supported VM shapes and images are available here.

Audit

To determine if encryption of data in transit between the OCI instance and the attached volumes is enabled, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Instance information tab and check the In-transit encryption feature status, listed under Launch Options. If In-transit encryption is set to Disabled, the encryption of data in transit between the selected OCI instance and the attached disk volumes is not enabled.

07 Repeat steps no. 5 and 6 for each compute instance deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the requested OCI compartment identifiers (IDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the In-Transit Encryption feature status for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query '{"in-transit-encryption":data."launch-options"."is-pv-encryption-in-transit-enabled"}'

06 The command output should return the requested encryption feature status: 

{
	"in-transit-encryption": null
}

If the compute instance get command output returns null or false for "in-transit-encryption", the encryption of data in transit between the selected OCI instance and the attached disk volumes is not enabled.

07 Repeat steps no. 5 and 6 for each compute instance deployed in the selected OCI compartment.

08 Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that encryption of data in transit between the OCI instance and the attached volumes is enabled, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to configure.

06 Select More actions from the top menu, and choose Edit to change the instance configuration settings.

07 Choose Show advanced options, select the Launch options tab, check the Use in-transit encryption setting checkbox, and choose Save changes to apply the configuration changes. This will enable encryption of data in transit between the compute instance, the boot volume, and the block volume(s).

08 Repeat steps no. 5 - 7 for each compute instance that you want to configure, available within the selected OCI compartment.

Using OCI CLI

01 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to enable encryption of data in transit between the selected instance, the boot volume, and the attached block volume(s): 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--launch-options '{"isPvEncryptionInTransitEnabled": true}'
	--query '{"in-transit-encryption":data."launch-options"."is-pv-encryption-in-transit-enabled"}'

02 The command output should return the In-Transit Encryption feature status for the modified compute instance: 

{
	"in-transit-encryption": true
}

03 Repeat steps no. 1 and 2 for each compute instance deployed to the selected OCI compartment.

04 Repeat steps no. 1 – 3 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 6, 2025

Related Compute rules