---
title: >-
  Block storage boot volumes should be encrypted with a Customer Managed Key
  (CMK)
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Block storage boot volumes should be
  encrypted with a Customer Managed Key (CMK)
---

# Block storage boot volumes should be encrypted with a Customer Managed Key (CMK)
 
## Description{% #description %}

Oracle Cloud Infrastructure (OCI) block storage boot volumes should be encrypted with a Customer Managed Key (CMK) to provide enhanced security and control over encryption key lifecycle management. By default, block storage boot volumes are encrypted with Oracle-managed keys, but using Customer Managed Keys provides additional security benefits including key rotation control, access logging, and the ability to disable keys when needed.

This rule checks the `kms_key_id` configuration of OCI block storage boot volumes and fails when block storage boot volumes are not configured with a Customer Managed Key.

## Remediation{% #remediation %}

To configure your OCI block storage boot volume with CMK encryption, you need to specify a valid `kms_key_id` from Oracle Cloud Infrastructure Vault service. For guidance on configuring block storage boot volume encryption with CMKs, refer to the [Block Volume Encryption](https://docs.oracle.com/iaas/Content/Block/Concepts/blockvolumeencryption.htm) section of the Oracle Cloud Infrastructure Documentation.