Security of Your Logs in Logging Analytics

Oracle Logging Analytics provides secure data transfer and storage for your logs. The service leverages the various security features that are inherently available in Oracle Cloud Infrastructure (OCI) and extends them to secure your logs.

Security of Logs In-Transit

When your data is in transit, all the communication from outside the OCI to inside OCI happens over https protocol which has encryption layer enabled. This ensures sensitive data protection from MitM phishing attacks.

Security of Logs At-Rest

The following features ensure that your logs remain safe while at rest in OCI, be it active or archived data:

AES-256 server-side encryption: OCI always encrypts and decrypts all block volumes, boot volumes, volume backups, and object storage on server-side by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. See Object Storage Encryption and Block Volume Encryption in Oracle Cloud Infrastructure Documentation.

Encryption is enabled by default and cannot be turned off. By default, Oracle manages the master encryption key.
AES/GCM 256-bit client-side encryption: The OCI SDK for Python and SDK for Java support client-side encryption, which encrypts your data on the client side before storing it locally or using it with other OCI services. See Oracle Cloud Infrastructure Documentation: Client Side Encryption.
Customer-provided encryption keys: Oracle Logging Analytics enables you to use your own encryption key that you have stored in OCI Vault to encrypt your logs. After you place your request for the encryption using your own keys by contacting Oracle Support, based on the size of your log data, Oracle creates a dedicated block volume or object storage bucket. This ensures that your data is separated and can be selectively encrypted.

When you enable the feature, you can select to use your encryption key on block volumes for active data or object storage for archival data.

For details, see Use Your Own Encryption Key.

Use Your Own Encryption Key

The following steps provide the work flow to establish your own encryption key and use it in Oracle Logging Analytics.

Topics:

Note

WARNING: Avoid Data Loss

In any of the following scenarios, the data collection will fail and your data in Oracle Logging Analytics is lost:

If you delete old or new key when key rotation is in progress
If you delete the key which is currently used for encryption
If you change the IAM policies pertaining to customer-provided encryption, causing Oracle Cloud services to be unable to access data storage

Steps to Use Your Own Encryption Key with Oracle Logging Analytics

By following these steps, you can successfully use your own encryption key in Oracle Logging Analytics, confirm existing keys, and monitor their assignment using oci cli commands:

Request feature enablement:

Contact Oracle Support to enable the Customer-Provided Encryption Key feature for your tenancy. File a Service Request (SR) from Oracle Cloud Support Portal.

Proceed to the next steps only after Oracle confirms that the feature is enabled.
Create or select encryption key in OCI Vault:

Navigate to OCI Security, and select Vault. Select or create a vault, then create or select the key to use. Using OCI Vault, you can manage vaults, keys and secrets. See Oracle Cloud Infrastructure Documentation: Managing Keys.

Note

Use only 256-bit Advanced Encryption Standard (AES-256) encryption key for Block Volumes (Active storage data). See Block Volume Encryption Keys.
Note your encryption key information:

Locate and copy the OCID of your selected key in the Vault, the Vault compartment OCID, and the compartment OCID in which the key is located for use in the next steps.
Configure required IAM policies:

Ensure that the required IAM policy statements are created for key management, accessing data from your dedicated resources, and allowing Oracle Logging Analytics to use your encryption key on your logs. See Allow the Use of Customer-Provided Keys for Encrypting Logs.
Assign your key to Oracle Logging Analytics storage:

Assign your key with a oci cli request.
```
oci log-analytics storage assign-encryption-key --key-id <key-id> --key-type <key_type> --namespace-name <namespace_name>
```
- Replace <key-id> with the OCID of your encryption key.
- Set <key_type> as "ACTIVE_DATA" for active storage, or "ARCHIVAL_DATA" for archival storage.
- Replace <namespace_name> with your tenancy namespace name.
Note the work request ID from the response to the above command.

For more details about the CLI command, parameters, and examples, see assign-encryption-key.

Monitor the encryption key assignment status:

To track progress, use the work request ID from the response above:

oci log-analytics storage get-storage-work-request --namespace-name <namespace_name> --work-request-id <work_request_id>

Replace <work_request_id> with the ID returned from the assign-encryption-key oci cli call.
Replace <namespace_name> with your tenancy namespace name.
Review the response for status and details. The key assignment is complete when the response status is SUCCEEDED.

For more details about the CLI command, parameters, and examples, see get-storage-work-request.

Sample response:

{
  "compartmentId": "ocid1.tenancy.oc1..xxxxx",
  "id": "ocid1.loganalyticsstorageworkrequest.oc1.xxxxx",
  "operationDetails": "Encryption Completed",
  "operationType": "ENCRYPT_ACTIVE_DATA",
  "percentComplete": 100,
  "status": "SUCCEEDED",
  "statusDetails": "ENCRYPTED",
  "timeAccepted": "2025-05-30T18:29:05.153+00:00",
  "timeExpires": null,
  "timeFinished": "2025-05-30T18:30:27.980+00:00",
  "timeStarted": "2025-05-30T18:30:23.054+00:00"
}

After the feature is enabled, your older log data which resides in a different location will continue to be encrypted using OCI managed encryption keys. All new data coming after the enabling will be encrypted using your own encryption key.

List Storage Encryption Keys

You can check which encryption keys are associated with your Oracle Logging Analytics tenancy at any time:

oci log-analytics storage list-encryption-key-info --namespace-name <namespace_name>

Replace <namespace_name> with your tenancy namespace name.

Sample JSON response:

[
  {
    "keyId": "ocid1.key.oc1..xxxxx",
    "keySource": "CUSTOMER_MANAGED",
    "keyType": "ACTIVE_DATA"
  },
  {
    "keyId": "ocid1.key.oc1..xxxxx",
    "keySource": "CUSTOMER_MANAGED",
    "keyType": "ARCHIVAL_DATA"
  }
]

For more details about the CLI command, parameters, and examples, see list-encryption-key-info.

Rotate Storage Encryption Keys

Periodically rotating your encryption keys is a best practice for strengthening data security. In Oracle Logging Analytics, you can rotate your key by assigning a new one using the assign-encryption-key oci cli command. The steps below show how to rotate your key, monitor progress, and clean up the old key when the process is complete.

Prepare your new encryption key:

Generate or select a new encryption key in OCI Vault.

Note

Use only 256-bit Advanced Encryption Standard (AES-256) encryption key for Block Volumes (Active storage data). See Block Volume Encryption Keys.

Ensure that Oracle Logging Analytics has the necessary IAM policies to use the new key. See Allow the Use of Customer-Provided Keys for Encrypting Logs.
Assign your key to Oracle Logging Analytics storage:

Assign your key with a oci cli request.
```
oci log-analytics storage assign-encryption-key --key-id <key-id> --key-type <key_type> --namespace-name <namespace_name>
```
- Replace <key-id> with the OCID of your encryption key.
- Set <key_type> as "ACTIVE_DATA" for active storage, or "ARCHIVAL_DATA" for archival storage.
- Replace <namespace_name> with your tenancy namespace name.
For more details about the CLI command, parameters, and examples, see assign-encryption-key.

Monitor the encryption key assignment status:

To track progress, use the work request ID from the response above:

oci log-analytics storage get-storage-work-request --namespace-name <namespace_name> --work-request-id <work_request_id>

Replace <work_request_id> with the ID returned from the assign-encryption-key oci cli call.
Replace <namespace_name> with your tenancy namespace name.
Review the response for status and details. The key assignment is complete when the response status is SUCCEEDED.

For more details about the CLI command, parameters, and examples, see get-storage-work-request.

Sample response:

{
  "compartmentId": "ocid1.tenancy.oc1..xxxxx",
  "id": "ocid1.loganalyticsstorageworkrequest.oc1.xxxxx",
  "operationDetails": "Encryption Completed",
  "operationType": "ENCRYPT_ACTIVE_DATA",
  "percentComplete": 100,
  "status": "SUCCEEDED",
  "statusDetails": "ENCRYPTED",
  "timeAccepted": "2025-05-30T18:29:05.153+00:00",
  "timeExpires": null,
  "timeFinished": "2025-05-30T18:30:27.980+00:00",
  "timeStarted": "2025-05-30T18:30:23.054+00:00"
}

Remove the old key:

Ensure that rotation is complete by verifying that the response to the get-storage-work-request call is SUCCEEDED. After verifying that list-encryption-key-info call now shows only the new key, you may safely remove the old key from OCI Vault. See List Storage Encryption Keys.

Useful Tips for Rotating Your Encryption Keys in Oracle Logging Analytics

Both keys are needed during rotation

When you start key rotation, both the old and new keys must remain active and accessible. The old key ensures that existing encrypted data can be read and re-encrypted with the new key.
Add a new key to start rotation

Begin rotation by adding your new encryption key using the assign-encryption-key oci cli command. See Rotate Storage Encryption Keys.
No mandatory waiting period after rotation completes

You do not have to wait a set number of days. Once key rotation is completed, the old key is no longer needed and can be safely removed from OCI Vault.
Rotation duration
- If Archiving is not enabled:
  ACTIVE_DATA key type: Both active data and active data backup are encrypted with the specified key and both are rotated. Rotation of active data backup can typically take 1TB = hours, 10TB = days, 100TB = weeks. The more data you have, the longer rotation may take.
- If Archiving is enabled:
  ACTIVE_DATA key type: Only active data key is rotated. The impact of active data size (10TB, 20TB, 100TB) is not very significant. Rotation typically completes quickly (in minutes to an hour), regardless of data size.
  
  ARCHIVAL_DATA key type: Only archival data key is rotated. Rotation of archival data can typically take 1TB = hours, 10TB = days, 100TB = weeks. The more data you have, the longer rotation may take.
No fixed retention time for old key
- The old key must be kept until all data is re-encrypted with the new key and the rotation is confirmed complete.
How to monitor rotation progress

The assign encryption key operation is asynchronous. After submitting your key rotation request, track progress using the returned workRequestId.

See Rotate Storage Encryption Keys.

When the work request completes successfully with the status SUCCEEDED and list-encryption-key-info call now shows only the new key, it’s safe to delete the old key. If the work request fails, review the response to determine the reason for failure and incorporate the fix. For help, contact Oracle Support.
Verify which key is active

List current encryption keys to confirm the new key is in use.

See List Storage Encryption Keys.

Ensure that the old key is no longer listed before removal.
Keep both keys accessible

Do not delete or disable the old key until rotation has fully completed and validated. Losing access to the old key during rotation can lead to data access issues.
Test with smaller data first

If possible, consider a test rotation on a smaller data set to estimate timing in your OCI environment.

In summary, keep both keys available during rotation, monitor rotation through work request status, remove the old key only after completion, and expect archive rotation to take longer as data size increases. Always verify key status before cleanup.

Switch Back to Oracle-managed Encryption

If you are facing scalability/ performance issues due to key rotation or if you're unable to maintain the key management process, then you may want to switch back to Oracle-managed encryption. Contact Oracle Support to switch back to Oracle-managed encryption for your tenancy. File a Service Request (SR) from Oracle Cloud Support Portal.

Allow the Use of Customer-Provided Keys for Encrypting Logs

Oracle Logging Analytics enables you to use your own encryption key that you have stored in OCI Vault to encrypt your logs. After you place your request for the encryption using your own keys by contacting Oracle Support, based on the size of your log data, Oracle creates dedicated block volumes and object storage bucket. This ensures that your data is separated and can be selectively encrypted.

To successfully use your keys for encrypting the log data, you must first provide the following permissions for the various services to access and use the keys:

Define the Logging Analytics tenancy where the data is stored, for example, logan_tenancy.
Define a dynamic group of resources which can be used for performing encryption operations, for example, encr_app_tier_group_of_logan.
Allow the service Block Storage to use your encryption keys and vaults stored in a specific compartment in your tenancy, for example, encryptionTier compartment.
Allow service Object Storage to use your encryption keys and vaults stored in a specific compartment in your tenancy, for example, encryptionTier compartment.
Allow the dynamic group defined in step 2 to associate your encryption keys with volumes.
Allow the dynamic group defined in step 2 to associate your encryption keys with volume-backups.
Allow the dynamic group defined in step 2 to use key delegation.
Allow the dynamic group defined in step 2 to associate your encryption keys with Object Storage buckets.
Allow the dynamic group defined in step 2 to have READ access to your encryption keys.
Allow the dynamic group defined in step 2 to have READ access to the vaults.

The following example IAM policy statements map to the above definitions:

Define tenancy logan_tenancy as <LOGAN_TENANCY_OCID>
Define dynamic-group encr_app_tier_group_of_logan as <LOGAN_APP_TIER_DYNAMIC_GROUP_OCID>
allow service blockstorage to use keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID>
allow service objectstorage-<REGION_IDENTIFIER> to use keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID>
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to associate keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID> with volumes in tenancy logan_tenancy
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to associate keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID> with volume-backups in tenancy logan_tenancy
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to use key-delegate in compartment <CUSTOMER_KEY_COMPARTMENT_OCID>
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to associate keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID> with buckets in tenancy logan_tenancy
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to read keys in compartment <CUSTOMER_KEY_COMPARTMENT_OCID>
Admit dynamic-group encr_app_tier_group_of_logan of tenancy logan_tenancy to read vaults in compartment <CUSTOMER_VAULT_COMPARTMENT_OCID>

Make sure to replace <LOGAN_TENANCY_OCID>, <REGION_IDENTIFIER>, <LOGAN_APP_TIER_DYNAMIC_GROUP_OCID>, <CUSTOMER_KEY_COMPARTMENT_OCID>, and <CUSTOMER_VAULT_COMPARTMENT_OCID> in the above IAM policy statements with the actual values.

To onboard the region, collect <LOGAN_TENANCY_OCID>, <LOGAN_APP_TIER_DYNAMIC_GROUP_OCID> from Oracle Logging Analytics.

To get the value of <REGION_IDENTIFIER>, see Regions and Availability Domains.

The <CUSTOMER_KEY_COMPARTMENT_OCID> is the compartment OCID in which the key is located. <CUSTOMER_VAULT_COMPARTMENT_OCID> is the OCID of the compartment where the you created the vault to store the keys. You noted the compartment OCIDs in step3 in Steps to Use Your Own Encryption Key with Oracle Logging Analytics.

Oracle Cloud Infrastructure Documentation