Have greater control over the security of your logs in Oracle Logging Analytics

November 15, 2022 | 3 minute read
Mamatha Srinath
Consulting User Assistance Developer
Text Size 100%:

Oracle Logging Analytics has a well-established and trusted system for the security of log data whether it is in transit or at rest. With the enablement of customer-provided encryption keys, you can play an active role in the log security of and ensure that sensitive data remains protected. When you bring your own master key for encryption, OCI Vault helps with a comprehensive key management system where the keys can be created and rotated as needed. Vault lets you securely store master encryption keys and secrets that might otherwise be stored in configuration files or in code.

Typically, the log data managed by Oracle Logging Analytics is stored internally in OCI Block Volume and Object Storage and is encrypted with OCI-managed master encryption keys. Harnessing the additional security features provided by OCI, Oracle Logging Analytics enables the use of an encryption key that is stored in OCI Vault to encrypt logs. The master key in the Vault is used to encrypt the Data Encryption Key (DEK) which in turn is used for log data encryption. DEK is randomly generated.

 

Use Master Encryption Key stored in the Vault to encrypt data
Figure 1: Use Master Encryption Key stored in the Vault to encrypt data

 

Have questions about encrypting logs with your own encryption key?  See the FAQ below.

 

How to create encryption keys in OCI Vault

OCI Vault is a key management service that stores and manages master encryption keys and secrets for secure access to resources. The key encryption algorithms that the Vault service supports includes the Advanced Encryption Standard (AES), the Rivest-Shamir-Adleman (RSA) algorithm, and the elliptic curve digital signature algorithm (ECDSA). For use with Oracle Logging Analytics, create AES-256 symmetric keys for encryption and decryption. 

 

Use Vault to create and manage your Master Encryption Key
Figure 2: Use Vault to create and manage your Master Encryption Key

 

Using OCI Vault, you can manage vaults, keys and secrets. From time to time, the master encryption key can be rotated.

 

How to request use of encryption keys in Oracle Logging Analytics

Contact Oracle Support. After the required dedicated resources are created, call the POST API /namespaces/{namespaceName}/storage/actions/assignEncryptionKey and provide the key information. See Logging Analytics API Reference and Endpoints.

 

How logs are ensured to be separated for encryption

Once the request for encryption is placed using your own keys, based on the size of the log data, Oracle will create a dedicated block volume or object storage bucket.  This will ensure that the data is separated and can be selectively encrypted.

 

Encrypt both active and archived logs

When the feature is enabled, select to use the encryption key on block volumes for active data or object storage for archival data. 

Ensure that the required IAM policy statements are created for key management, accessing data from dedicated resources, and allowing Oracle Logging Analytics to use the encryption key on logs. See Logging Analytics Documentation: Allow the Use of Customer-Provided Keys for Encrypting Logs.

 

After the feature is enabled, revert to OCI-managed encryption instead of using your own keys at a later point

Contact Oracle Support to disable or re-enable the feature.

 

Will the older logs be encrypted with the new encryption key?

No. After the feature is enabled, the new encryption key is only applied to the logs stored in the new dedicated storage. So, the older log data which resides in a different location will continue to be encrypted using OCI managed encryption keys.


Hope this answers any questions about the new security feature offered by Oracle Logging Analytics. Contact Oracle Support to enable the use of your own encryption keys!

 

Resources

•    Oracle Cloud Infrastructure Documentation: Security of Your Logs in Logging Analytics
•    Oracle Cloud Infrastructure Documentation: Object Storage - Using Your Own Keys in Vault for Server-Side Encryption
•    Oracle Cloud Infrastructure Documentation: Block Volume Encryption
•    Oracle Cloud Infrastructure Documentation: Vault
•    Oracle Cloud Infrastructure Documentation: Managing Keys
 

Mamatha Srinath

Consulting User Assistance Developer

As a User Assistance Developer at Oracle for enterprise and cloud manageability offerings, Mamatha creates customer-facing technical artifacts. She brings together diverse experiences from her past roles like Marketing Engineer, Embedded Systems Developer, Creative Head, and Consultant to her current role and the power of creative articulation to simplify technologies and features to resonate with the end-users.


Previous Post

Enhanced OKE Monitoring with Observability and Management

Ashwini A R | 6 min read

Next Post


Quick start - get more insight on databases using OCI Database Management Dashboards capability

Murtaza Husain | 5 min read