Oracle Checkpoint

Monday, 25 May 2026

Generating OCI Security List JSON Templates Using OCI CLI

Oracle Cloud Infrastructure (OCI) Networking provides Security Lists to control inbound and outbound traffic for resources inside a Virtual Cloud Network (VCN).

Using OCI CLI, administrators can generate ready-made JSON templates for security rules, making automation and Infrastructure as Code much easier.

OCI CLI Command

The following command generates a sample JSON structure for ingress security rules:

oci network security-list create \
--generate-param-json-input ingress-security-rules

Real Example

(base) karandodwal@Karans-MacBook-Air ~ % oci network security-list create \
--generate-param-json-input ingress-security-rules

Sample Output

[
  {
    "description": "string",
    "icmpOptions": {
      "code": 0,
      "type": 0
    },
    "isStateless": true,
    "protocol": "string",
    "source": "string",
    "sourceType": "string",
    "tcpOptions": {
      "destinationPortRange": {
        "max": 0,
        "min": 0
      },
      "sourcePortRange": {
        "max": 0,
        "min": 0
      }
    },
    "udpOptions": {
      "destinationPortRange": {
        "max": 0,
        "min": 0
      },
      "sourcePortRange": {
        "max": 0,
        "min": 0
      }
    }
  }
]

What Does This Command Do?

The command does not create a Security List.

Instead, it generates a JSON template that can later be customized and used with OCI CLI commands.

This is extremely useful for:

Automation
Infrastructure as Code
Terraform-style workflows
Repeatable deployments
Complex networking configurations

Understanding OCI Security Lists

A Security List in OCI acts like a virtual firewall at the subnet level.

It controls:

Ingress traffic (incoming)
Egress traffic (outgoing)

OCI Networking Architecture

VCN
 └── Subnet
      └── Security List
            ├── Ingress Rules
            └── Egress Rules

Understanding the JSON Template

The generated JSON contains all possible parameters for an ingress rule.

Field-by-Field Explanation

Field	Description
description	Description of the security rule
icmpOptions	ICMP protocol settings
isStateless	Defines whether the rule is stateful or stateless
protocol	Network protocol number
source	Allowed source CIDR block
sourceType	Source type definition
tcpOptions	TCP-specific port rules
udpOptions	UDP-specific port rules

Understanding the Protocol Field

The protocol field specifies network protocol numbers.

Protocol	Value
ICMP	1
TCP	6
UDP	17
All Protocols	all

Example TCP Rule

Allow SSH traffic on port 22:

{
  "description": "Allow SSH",
  "protocol": "6",
  "source": "0.0.0.0/0",
  "sourceType": "CIDR_BLOCK",
  "tcpOptions": {
    "destinationPortRange": {
      "min": 22,
      "max": 22
    }
  }
}

Understanding TCP Options

TCP options define source and destination port ranges.

Destination Port Range

Defines which ports are allowed on the destination system.

Example:

"destinationPortRange": {
  "min": 22,
  "max": 22
}

This allows SSH traffic.

Understanding UDP Options

UDP options work similarly to TCP options but apply to UDP traffic.

Examples:

DNS
NTP
Streaming services

Understanding ICMP Options

ICMP rules are used for:

Ping requests
Network diagnostics
Troubleshooting

Example:

"icmpOptions": {
  "type": 3,
  "code": 4
}

Stateful vs Stateless Rules

The template includes:

"isStateless": true

Stateful Rule

Return traffic automatically allowed
Easier to manage
Default behavior in OCI

Stateless Rule

Return traffic must be explicitly allowed
Higher performance
Useful for specialized workloads

Understanding Source and SourceType

Example

"source": "0.0.0.0/0",
"sourceType": "CIDR_BLOCK"

Meaning

0.0.0.0/0 means all IP addresses
CIDR_BLOCK specifies source is defined using CIDR notation

Security Warning

Using:

0.0.0.0/0

opens access from the entire internet.

Use carefully, especially for:

SSH ports
Database ports
Application ports

How JSON Templates Are Used

The generated JSON can be:

Saved to a file
Edited manually
Passed back to OCI CLI commands

Save JSON Template to File

oci network security-list create \
--generate-param-json-input ingress-security-rules \
> ingress-rules.json

Edit the JSON File

Modify the template with real values:

{
  "description": "Allow HTTPS",
  "protocol": "6",
  "source": "0.0.0.0/0",
  "sourceType": "CIDR_BLOCK",
  "tcpOptions": {
    "destinationPortRange": {
      "min": 443,
      "max": 443
    }
  }
}

Create Security List Using JSON

oci network security-list create \
--compartment-id <compartment_ocid> \
--vcn-id <vcn_ocid> \
--display-name MySecurityList \
--ingress-security-rules file://ingress-rules.json

Understanding the Warning Message

The command also displayed:

SyntaxWarning: "\." is an invalid escape sequence

Why Does This Warning Appear?

This warning originates from:

Python 3.14 compatibility changes
OCI CLI internal Python libraries
Regular expression formatting updates

It usually does not impact OCI CLI functionality.

Benefits of Generate-Param-JSON-Input

Reduces manual syntax errors
Shows all available parameters
Useful for automation
Simplifies complex configurations
Ideal for scripting

OCI Security List Best Practices

Use least privilege rules
Avoid open internet access when unnecessary
Use stateful rules unless stateless is required
Document security rule purposes
Regularly audit security lists

Security Lists vs Network Security Groups (NSGs)

Security Lists	NSGs
Subnet-level firewall	VNIC-level firewall
Applies to entire subnet	Applies to specific resources
Simpler management	More granular control

Conclusion

The OCI CLI command:

oci network security-list create \
--generate-param-json-input ingress-security-rules

is a powerful way to generate networking rule templates for OCI Security Lists.

It helps cloud administrators:

Understand rule structures
Automate networking
Create reusable configurations
Build Infrastructure as Code workflows

Combined with OCI CLI automation and JSON templates, OCI networking becomes highly flexible and script-friendly for enterprise cloud deployments.

How to List OCI Object Storage Buckets Using OCI CLI

Oracle Cloud Infrastructure (OCI) Object Storage provides highly scalable and durable cloud storage for storing unstructured data such as:

Database backups
Application files
Terraform state files
Logs
Images and videos
Archive files

Using OCI CLI, administrators can quickly list all available buckets directly from the terminal.

OCI CLI Command to List Buckets

The following command lists all Object Storage buckets inside a compartment:

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace <namespace>

Real Example

(base) karandodwal@Karans-MacBook-Air oci % oci os bucket list \
--compartment-id ocid1.tenancy.oc1..aaaaaaaa3vnisivl47yhbkewows6ga6xawrhmg2p37nzqj656rz4j7wt55gq \
--namespace bmsabuehgvp5

Understanding the Command

Parameter	Description
oci	OCI CLI executable
os	Object Storage service
bucket	Bucket resource type
list	Action to display buckets
--compartment-id	OCI compartment or tenancy OCID
--namespace	Object Storage namespace

Sample Output

{
  "data": [
    {
      "bucket-scope": "NAMESPACE",
      "compartment-id": "ocid1.tenancy.oc1..aaaaaaaa3vnisivl47yhbkewows6ga6xawrhmg2p37nzqj656rz4j7wt55gq",
      "created-by": "ocid1.saml2idp.oc1..aaaaaaaagk67dtxfsgsyudgppijtx3gkcipqmoq33o2bh2z55pjryeol4juq/karandodwal@gmail.com",
      "etag": "2c6154b3-0051-44fd-82cc-b05d00409442",
      "name": "bucket-1031",
      "namespace": "bmsabuehgvp5",
      "time-created": "2022-06-26T19:07:15.549000+00:00"
    }
  ]
}

Understanding the JSON Output

OCI CLI returns bucket information in JSON format.

The response contains:

"data": [ ]

which is an array of bucket objects.

Important Output Fields Explained

Field	Description
bucket-scope	Defines bucket visibility scope
compartment-id	OCI compartment OCID where bucket exists
created-by	User or identity that created the bucket
etag	Unique identifier used for object version tracking
name	Name of the bucket
namespace	Object Storage namespace
time-created	Bucket creation timestamp

Understanding the Bucket Name

From the output:

"name": "bucket-1031"

This is the Object Storage bucket name.

The bucket stores objects such as:

Files
Backups
Images
Application data

Understanding Namespace

The output shows:

"namespace": "bmsabuehgvp5"

A namespace is a unique Object Storage identifier assigned to an OCI tenancy.

All buckets exist inside a namespace.

How to Get Namespace

oci os ns get

Example output:

{
  "data": "bmsabuehgvp5"
}

Understanding Bucket Scope

The output shows:

"bucket-scope": "NAMESPACE"

This means the bucket exists within the tenancy namespace.

Understanding the Created-By Field

Example:

"created-by": "ocid1.saml2idp.oc1.../karandodwal@gmail.com"

This indicates:

The bucket creator identity
The user or federated identity used
Audit tracking information

Understanding the ETag

Example:

"etag": "2c6154b3-0051-44fd-82cc-b05d00409442"

ETag is used internally by OCI for:

Object version tracking
Concurrency control
API request validation

Understanding Time-Created

Example:

"time-created": "2022-06-26T19:07:15.549000+00:00"

This indicates when the bucket was created in UTC format.

What About the Warning Message?

The command output also displayed:

FutureWarning: The 'strict' parameter is no longer needed on Python 3+

Why Does This Warning Appear?

This is a Python library compatibility warning from:

urllib3

It usually appears because:

OCI CLI uses Python internally
Python 3.14 introduced changes
Some older library parameters are deprecated

This warning does not usually affect bucket operations.

Display Bucket List in Table Format

JSON output is useful for automation, but table output is easier to read.

Example

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace <namespace> \
--output table

Filter Bucket Output Using Queries

Display Only Bucket Names

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace <namespace> \
--query "data[*].name"

Display Only Creation Time

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace <namespace> \
--query "data[*].time-created"

Useful Related Bucket Commands

Get Bucket Details

oci os bucket get \
--bucket-name bucket-1031 \
--namespace bmsabuehgvp5

List Objects Inside Bucket

oci os object list \
--bucket-name bucket-1031

Upload File to Bucket

oci os object put \
--bucket-name bucket-1031 \
--file backup.zip

OCI Object Storage Use Cases

RMAN backups
Database exports
Terraform remote state
Log archival
Application storage
Static website hosting
Data lake storage

OCI CLI Benefits

Automation friendly
Supports scripting
Useful for DevOps pipelines
Faster than manual console operations
Supports Infrastructure as Code workflows

Conclusion

The OCI CLI command:

oci os bucket list

is one of the most commonly used Object Storage operations in Oracle Cloud Infrastructure.

It helps administrators:

Discover available buckets
Verify storage configuration
Manage Object Storage resources
Automate cloud storage operations

Combined with Object Storage APIs, Cloud Shell, and automation tools, OCI CLI provides a powerful way to manage enterprise cloud storage directly from the terminal.

Understanding OCI Object Storage Bucket Commands Using OCI CLI

Oracle Cloud Infrastructure (OCI) Object Storage is a highly scalable cloud storage service used to store unstructured data such as:

Backups
Images
Videos
Database exports
Logs
Application files
Terraform state files

Using OCI CLI, administrators can manage Object Storage buckets directly from the terminal.

Checking Available Bucket Commands

The following command displays all available bucket operations in OCI CLI:

oci os bucket -h

Example Terminal Output

(base) karandodwal@Karans-MacBook-Air oci % oci os bucket -h

Usage: oci os bucket [OPTIONS] COMMAND [ARGS]...

  A bucket is a container for storing objects in a compartment within a
  namespace. A bucket is associated with a single compartment.

Commands:
  create
  delete
  get
  list
  reencrypt
  update

Understanding OCI Object Storage Buckets

A bucket is a logical container inside OCI Object Storage where objects (files) are stored.

Examples of objects:

ZIP files
Backups
Images
JSON files
Database dump files
Terraform state files

OCI Object Storage Hierarchy

Tenancy
 └── Compartment
      └── Namespace
           └── Bucket
                └── Objects

What the Help Output Explains

The OCI CLI help output provides:

Command usage syntax
Bucket descriptions
Available bucket operations
IAM authorization requirements

Basic OCI Bucket Command Structure

oci os bucket <command>

Available Bucket Commands Explained

Command	Description
create	Create a new bucket
delete	Delete an empty bucket
get	Display bucket details
list	List all buckets in a compartment
reencrypt	Re-encrypt bucket encryption keys
update	Modify bucket settings

1. Create Bucket

Creates a new Object Storage bucket.

Example

oci os bucket create \
--compartment-id <compartment_ocid> \
--name mybucket \
--namespace-name <namespace>

2. Delete Bucket

Deletes a bucket if it is empty.

Example

oci os bucket delete \
--bucket-name mybucket \
--namespace-name <namespace> \
--force

Important:

Bucket must be empty before deletion
All objects should be removed first

3. Get Bucket Details

Displays detailed information about a bucket.

Example

oci os bucket get \
--bucket-name mybucket \
--namespace-name <namespace>

4. List Buckets

Lists all buckets inside a compartment.

Example

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace-name <namespace>

5. Re-encrypt Bucket

The reencrypt command is used to re-encrypt bucket encryption keys.

This is useful when:

Rotating encryption keys
Improving security compliance
Changing KMS configurations

Example

oci os bucket reencrypt \
--bucket-name mybucket \
--namespace-name <namespace>

6. Update Bucket

Updates bucket settings and properties.

Example

oci os bucket update \
--bucket-name mybucket \
--namespace-name <namespace> \
--public-access-type NoPublicAccess

IAM Authorization Requirement

The help output also mentions:

To use any of the API operations, you must be authorized in an IAM policy.

This means OCI users need proper IAM permissions to work with buckets.

Example IAM Policy for Object Storage

Allow group StorageAdmins to manage object-family in compartment Production

Understanding OCI Namespace

Object Storage buckets exist inside a namespace.

A namespace is automatically generated for each OCI tenancy.

Get Namespace

oci os ns get

Example output:

{
  "data": "mytenancynamespace"
}

Useful Related OCI Object Storage Commands

List Objects in a Bucket

oci os object list \
--bucket-name mybucket

Upload Object

oci os object put \
--bucket-name mybucket \
--file backup.zip

Download Object

oci os object get \
--bucket-name mybucket \
--name backup.zip \
--file backup.zip

Display Bucket Commands Help

You can get detailed help for individual bucket commands.

Example

oci os bucket create --help

Display Output in Table Format

OCI CLI supports table formatting for readability.

Example

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace-name <namespace> \
--output table

Why OCI CLI is Useful for Object Storage

Automates storage management
Useful for scripting
Supports backups and restore automation
Works well with DevOps pipelines
Faster than manual console operations
Supports Terraform and Infrastructure as Code

OCI CLI and Cloud Shell

OCI CLI can run from:

macOS Terminal
Linux servers
Windows WSL
Oracle Cloud Shell

Oracle Cloud Shell already includes OCI CLI pre-installed and authenticated.

Best Practices for OCI Buckets

Use private buckets unless public access is required
Enable encryption
Use IAM least privilege policies
Organize buckets by workload
Monitor bucket usage
Use lifecycle policies for cost optimization

Conclusion

The command:

oci os bucket -h

is an excellent starting point for learning OCI Object Storage management using OCI CLI.

It provides visibility into all major bucket operations including:

Bucket creation
Listing buckets
Updating bucket settings
Deleting buckets
Encryption management

OCI Object Storage combined with OCI CLI provides a powerful and automation-friendly cloud storage platform for enterprise workloads and cloud-native applications.

Exploring OCI Regions Using OCI CLI

Oracle Cloud Infrastructure (OCI) provides cloud regions across multiple countries and continents to support high availability, disaster recovery, low latency, and global cloud deployments.

Using OCI CLI, administrators can quickly list all available Oracle Cloud regions directly from the terminal.

OCI CLI Command to List Regions

The following command displays all OCI regions available globally:

oci iam region list

Sample Output

karandodwa@cloudshell:~ (ap-mumbai-1)$ oci iam region list

The command returns JSON output similar to:

{
  "data": [
    {
      "key": "BOM",
      "name": "ap-mumbai-1"
    },
    {
      "key": "HYD",
      "name": "ap-hyderabad-1"
    },
    {
      "key": "ONM",
      "name": "ap-delhi-1"
    },
    {
      "key": "IAD",
      "name": "us-ashburn-1"
    },
    {
      "key": "PHX",
      "name": "us-phoenix-1"
    }
  ]
}

The actual output contains dozens of OCI regions distributed globally.

Understanding the Output

Each OCI region entry contains:

Field	Description
key	Short region identifier
name	Full OCI region name

Example Region Entry

{
  "key": "BOM",
  "name": "ap-mumbai-1"
}

Meaning of This Region

BOM → Short code for Mumbai
ap → Asia Pacific
mumbai → Region city/location
1 → Region sequence number

OCI Region Naming Convention

OCI regions generally follow this format:

<geography>-<city>-<number>

Examples

Region Name	Description
ap-mumbai-1	Asia Pacific - Mumbai
ap-hyderabad-1	Asia Pacific - Hyderabad
us-ashburn-1	United States - Ashburn
eu-frankfurt-1	Europe - Frankfurt
me-dubai-1	Middle East - Dubai

OCI Regions Available in India

From the output, Oracle currently provides multiple cloud regions in India:

Key	Region	Location
BOM	ap-mumbai-1	Mumbai
HYD	ap-hyderabad-1	Hyderabad
ONM	ap-delhi-1	Delhi NCR
DES	ap-chennai-1	Chennai

Benefits of Multiple OCI Regions

1. High Availability

Applications can be deployed across multiple regions for better uptime.

2. Disaster Recovery

Organizations can replicate workloads between regions.

3. Low Latency

Users can choose cloud regions closer to end users.

4. Regulatory Compliance

Data residency requirements can be satisfied using local regions.

Popular OCI Regions from the Output

Key	Region	Country/Area
IAD	us-ashburn-1	USA
PHX	us-phoenix-1	USA
FRA	eu-frankfurt-1	Germany
LHR	uk-london-1	United Kingdom
NRT	ap-tokyo-1	Japan
SIN	ap-singapore-1	Singapore
SYD	ap-sydney-1	Australia
JNB	af-johannesburg-1	South Africa

OCI Geographic Categories

OCI region prefixes indicate geographical areas:

Prefix	Meaning
ap	Asia Pacific
us	United States
eu	Europe
me	Middle East
sa	South America
ca	Canada
af	Africa
mx	Mexico
uk	United Kingdom

Filter OCI Regions Using Queries

OCI CLI supports JMESPath queries for filtering output.

Display Only Region Names

oci iam region list \
--query "data[*].name"

Display Only Region Keys

oci iam region list \
--query "data[*].key"

Display Output in Table Format

oci iam region list --output table

Get Current Configured OCI Region

You can verify your configured default region using:

cat ~/.oci/config

Example:

region=ap-mumbai-1

Switch OCI Region Temporarily

You can target another region using:

oci --region us-ashburn-1 iam region list

Why OCI Regions Matter

Choosing the correct OCI region affects:

Application performance
Latency
Disaster recovery architecture
Compliance requirements
Cost optimization
Service availability

OCI Multi-Region Architecture

Many enterprise deployments use multiple OCI regions for:

Cross-region replication
Backup strategies
Autonomous Database replication
Disaster recovery
Global application deployments

Oracle Cloud Shell and OCI CLI

The command was executed from Oracle Cloud Shell:

karandodwa@cloudshell:~ (ap-mumbai-1)$

This indicates:

The user is logged into Cloud Shell
The current configured region is Mumbai
OCI CLI is already installed and authenticated

Conclusion

The command:

oci iam region list

is one of the first and most useful OCI CLI commands for understanding Oracle Cloud Infrastructure global availability.

It helps administrators:

Discover OCI regions
Plan deployments
Select low-latency regions
Design disaster recovery architectures
Build multi-region cloud solutions

With OCI continuously expanding globally, understanding OCI regions becomes an important foundation for cloud architecture and administration.

Getting Started with Basic OCI CLI Commands

Oracle Cloud Infrastructure (OCI) provides a powerful command line interface called OCI CLI that allows administrators, developers, and cloud engineers to manage cloud resources directly from the terminal.

OCI CLI is extremely useful for:

Cloud automation
Managing compute instances
Working with Object Storage
Managing networking resources
Database administration
Terraform integrations
Scripting and DevOps operations

What is OCI CLI?

OCI CLI stands for:

Oracle Cloud Infrastructure Command Line Interface

It allows you to interact with OCI services using commands instead of the web console.

OCI CLI Command Structure

Most OCI CLI commands follow this structure:

oci <service> <resource> <action>

Example

oci iam region list

Breakdown:

iam → OCI Identity service
region → Resource type
list → Action

Check OCI CLI Installation

To verify OCI CLI is installed:

oci --version

Display OCI CLI Help

oci --help

or simply:

oci

Useful Global OCI CLI Options

Option	Description
--help	Show help information
--version	Display OCI CLI version
--output table	Display output in table format
--debug	Enable debug output
--region	Specify OCI region
-i	Interactive mode

Enable Interactive Mode

OCI CLI supports interactive mode for auto-completion and easier command discovery.

oci -i

Basic OCI Commands

1. List OCI Regions

oci iam region list

2. Display Output in Table Format

oci iam region list --output table

3. Get Current Object Storage Namespace

oci os ns get

4. List Compartments

oci iam compartment list --all

5. List Availability Domains

oci iam availability-domain list

Working with Compute Instances

List Compute Instances

oci compute instance list \
--compartment-id <compartment_ocid>

Get Instance Details

oci compute instance get \
--instance-id <instance_ocid>

Start a Compute Instance

oci compute instance action \
--instance-id <instance_ocid> \
--action START

Stop a Compute Instance

oci compute instance action \
--instance-id <instance_ocid> \
--action STOP

Working with Object Storage

List Buckets

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace-name <namespace>

Create a Bucket

oci os bucket create \
--compartment-id <compartment_ocid> \
--name mybucket \
--namespace-name <namespace>

Upload a File

oci os object put \
--bucket-name mybucket \
--file test.txt

List Objects Inside Bucket

oci os object list \
--bucket-name mybucket

Working with Networking

List Virtual Cloud Networks (VCNs)

oci network vcn list \
--compartment-id <compartment_ocid>

List Subnets

oci network subnet list \
--compartment-id <compartment_ocid>

List Internet Gateways

oci network internet-gateway list \
--compartment-id <compartment_ocid>

Working with Databases

List Autonomous Databases

oci db autonomous-database list \
--compartment-id <compartment_ocid>

List DB Systems

oci db system list \
--compartment-id <compartment_ocid>

Using Queries in OCI CLI

OCI CLI supports JMESPath queries for filtering output.

Example

oci iam compartment list \
--all \
--query "data[*].name"

Get Only OCIDs

oci iam compartment list \
--all \
--query "data[*].id"

Using Raw Output

oci os ns get --query data --raw-output

This returns only the namespace value without JSON formatting.

Generate JSON Templates

OCI CLI can automatically generate JSON input templates.

Example

oci os bucket create \
--generate-full-command-json-input

Working with Configuration Files

OCI CLI configuration file location:

~/.oci/config

Typical configuration:

[DEFAULT]
user=ocid1.user.oc1...
fingerprint=xx:xx:xx
tenancy=ocid1.tenancy.oc1...
region=ap-mumbai-1
key_file=/home/opc/.oci/oci_api_key.pem

OCI CLI Authentication Types

OCI CLI supports multiple authentication methods:

Authentication Type	Description
api_key	Standard API key authentication
instance_principal	Authentication from OCI compute instances
security_token	Token-based authentication
resource_principal	Used for OCI services and functions

OCI Cloud Shell Advantage

OCI Cloud Shell already includes:

OCI CLI pre-installed
Authentication pre-configured
Terraform tools
kubectl
Git
Python SDKs

This makes it very easy to start working with OCI immediately.

Useful Troubleshooting Commands

Enable Debugging

oci --debug iam region list

Check Current Region

cat ~/.oci/config

Validate Authentication

oci iam region list

Best Practices

Use OCI CLI interactive mode for learning
Store scripts securely
Avoid exposing OCIDs publicly
Use instance principals where possible
Use table output for readability
Use queries to simplify output

Conclusion

OCI CLI is one of the most powerful tools available for managing Oracle Cloud Infrastructure resources.

With simple commands, administrators can manage:

Compute instances
Networking
Object Storage
Databases
Kubernetes
Security services

Combined with Oracle Cloud Shell, OCI CLI becomes an excellent platform for automation, cloud administration, and DevOps operations.

Learning basic OCI commands is the first step toward mastering Oracle Cloud Infrastructure administration and automation.

Understanding Encryption Algorithms in Oracle Autonomous Database and OCI

Data encryption is one of the most critical security features in modern cloud databases. Oracle Cloud Infrastructure (OCI) and Oracle Autonomous Database use Transparent Data Encryption (TDE) to secure data stored inside database tablespaces.

When we query the dynamic performance view V$ENCRYPTED_TABLESPACES, we can see the encryption algorithm currently being used by Oracle Database.

Checking Tablespace Encryption Details

The following query displays encrypted tablespace information:

SQL> select * from v$encrypted_tablespaces;

Sample output:

TS# ENCRYPTIONALG ENCRYPTEDTS STATUS  CIPHERMODE CON_ID
--- ------------- ----------- ------- ----------- ------
0   AES256        YES         NORMAL  XTS         600
1   AES256        YES         NORMAL  XTS         600
4   AES256        YES         NORMAL  XTS         600
5   AES256        YES         NORMAL  XTS         600
6   AES256        YES         NORMAL  XTS         600
9   AES256        YES         NORMAL  XTS         600
10  AES256        YES         NORMAL  XTS         600

What Does This Output Tell Us?

From the output, we can clearly see:

Tablespaces are encrypted
Encryption algorithm used is AES256
Cipher mode is XTS
Tablespace status is NORMAL

This confirms that Oracle Autonomous Database and OCI databases use enterprise-grade encryption by default.

Important Columns Explained

Column	Description
ENCRYPTIONALG	Encryption algorithm used for tablespace encryption
ENCRYPTEDTS	Indicates whether the tablespace is encrypted
ENCRYPTEDKEY	Internal encrypted encryption key
MASTERKEYID	Master encryption key identifier
BLOCKS_ENCRYPTED	Number of encrypted blocks
BLOCKS_DECRYPTED	Number of decrypted blocks accessed
STATUS	Encryption status of the tablespace
CIPHERMODE	Cipher mode used during encryption
CON_ID	Container ID in multitenant architecture

Why Does Oracle OCI Use AES256?

OCI and Autonomous Database primarily use:

AES256 + XTS Cipher Mode

because it provides:

Very strong encryption security
Industry-standard compliance
Efficient hardware acceleration
High performance with modern CPUs
Strong protection against storage-level attacks

What is AES?

AES stands for:

Advanced Encryption Standard

AES is a symmetric encryption algorithm widely used across:

Cloud providers
Banking systems
Government systems
Enterprise databases
Military-grade security solutions

Available AES Encryption Strengths in Oracle Database

Oracle Database supports multiple AES key sizes:

Algorithm	Key Size	Security Level
AES128	128-bit	Strong
AES192	192-bit	Very Strong
AES256	256-bit	Maximum Enterprise Security

AES128 vs AES192 vs AES256

AES128

Fastest AES variant
Lower CPU overhead
Still considered secure
Often used in general applications

AES192

Balanced option between speed and security
Less commonly used
Higher cryptographic strength than AES128

AES256

Highest encryption strength
Preferred for enterprise databases
Used in OCI Autonomous Database
Recommended for sensitive data
Widely accepted for compliance requirements

Does Oracle Support Other Encryption Algorithms?

Yes. Oracle Database historically supported multiple encryption algorithms through TDE and Oracle Wallet technologies.

Some supported algorithms include:

Algorithm	Description
AES128	128-bit AES encryption
AES192	192-bit AES encryption
AES256	256-bit AES encryption
3DES168	Triple DES encryption
ARIA128	Korean standard encryption algorithm
ARIA192	192-bit ARIA encryption
ARIA256	256-bit ARIA encryption
GOST256	Russian standard encryption algorithm
SEED128	Korean block cipher standard

Why Are Older Algorithms Rarely Used?

Modern cloud environments prefer AES because:

Better performance
Hardware acceleration support
Higher industry adoption
Better security validation
Compliance acceptance

Algorithms like DES and 3DES are considered older and slower compared to AES.

What is XTS Cipher Mode?

The output also shows:

CIPHERMODE = XTS

XTS Explained

XTS stands for:

XEX-based Tweaked CodeBook mode with CipherText Stealing

It is specifically designed for storage encryption.

XTS provides:

Improved storage block protection
Better resistance against block manipulation
Enhanced disk-level encryption security
Better suitability for database storage

Why XTS is Better for Databases

Databases work with storage blocks continuously. Traditional cipher modes like CBC were not optimized for storage encryption.

XTS improves security for:

Tablespace files
Datafiles
ASM storage
Redo logs
Temporary files

Understanding BLOCKS_ENCRYPTED and BLOCKS_DECRYPTED

Example:

BLOCKS_ENCRYPTED   BLOCKS_DECRYPTED
----------------   ----------------
107896             333437

These columns indicate:

How many blocks have been encrypted
How many encrypted blocks were later decrypted during access

Decryption happens automatically when Oracle reads encrypted data into memory. Applications never notice this process because TDE is transparent.

What is MASTERKEYID?

Example:

MASTERKEYID
-----------------------------------
F79629044E3C4F9ABFC5AEB94442C972

This identifies the master encryption key used to protect tablespace encryption keys.

Oracle stores and manages these keys securely using:

Oracle Wallet
OCI Vault
Key Management Services (KMS)

Encryption in Autonomous Database

Oracle Autonomous Database automatically enables:

Transparent Data Encryption (TDE)
Encrypted backups
Encrypted redo logs
Encrypted temporary tablespaces
Encrypted undo tablespaces

No manual encryption setup is usually required.

Benefits of Oracle Cloud Encryption

Automatic encryption by default
Strong AES256 protection
XTS cipher mode for storage security
Integrated key management
Compliance-ready architecture
Minimal application impact
Transparent encryption and decryption

Conclusion

The V$ENCRYPTED_TABLESPACES view clearly shows that Oracle Autonomous Database and OCI databases use:

AES256 encryption with XTS cipher mode

This combination provides enterprise-grade security for protecting database storage.

Although Oracle supports multiple encryption algorithms such as AES128, AES192, ARIA, GOST, and 3DES, modern Oracle Cloud environments primarily standardize on AES256 because of its:

Strong security
High performance
Industry acceptance
Compliance compatibility

Combined with Transparent Data Encryption (TDE), Oracle Cloud databases provide secure, automatic, and efficient encryption for modern enterprise workloads.

Getting Started with Oracle Cloud Shell in Oracle Cloud Infrastructure (OCI)

Oracle Cloud Infrastructure (OCI) provides a powerful browser-based terminal called Oracle Cloud Shell that allows administrators, developers, and cloud engineers to work directly from the OCI Console without installing any local tools.

Cloud Shell comes preconfigured with useful utilities such as:

OCI CLI
Terraform
Git
Kubectl
Python SDKs
Java SDKs
SQL tools
Linux utilities

This makes Oracle Cloud Shell one of the easiest ways to start managing Oracle Cloud resources.

Launching Oracle Cloud Shell

When Cloud Shell starts, you will see a welcome screen similar to the following:

Welcome to Oracle Cloud Shell.

Your Cloud Shell machine comes with 5GB of storage for your home directory.
Your Cloud Shell (machine and home directory) are located in: India West (Mumbai).

You are using Cloud Shell in tenancy karandodwal as OCI local user
karandodwal@gmail.com

Type `help` for more info.

Understanding the Welcome Message

1. Browser-Based Linux Terminal

Oracle Cloud Shell provides a fully functional Linux terminal directly inside the OCI web console. No SSH setup or local installation is required.

2. Persistent 5GB Storage

Your Cloud Shell machine comes with 5GB of storage for your home directory.

Oracle provides persistent storage for your home directory. This means:

Your scripts remain saved
Terraform files persist
Downloaded files remain available
Git repositories stay intact
OCI CLI configurations are preserved

Even after you close the browser session, your files remain available.

3. Region Information

Your Cloud Shell (machine and home directory) are located in:
India West (Mumbai)

The Cloud Shell environment runs in your OCI region. In this example, the Cloud Shell session is hosted in:

OCI Region: India West (Mumbai)
Region Identifier: ap-mumbai-1

This helps reduce latency when working with resources in the same region.

4. Tenancy and User Information

You are using Cloud Shell in tenancy karandodwal
as OCI local user karandodwal@gmail.com

This confirms:

The OCI tenancy being used
The authenticated OCI user
The identity under which OCI CLI commands will execute

Cloud Shell automatically authenticates your OCI session, so there is usually no need to manually configure API keys.

Cloud Shell Tutorial Prompt

When Cloud Shell launches for the first time, OCI may offer an interactive tutorial:

==================================================================

Welcome to the Oracle Cloud Shell Tutorial

Cloud Shell is a web-based terminal which includes many useful tools
including current versions of the OCI CLI and SDKs.

Would you like to run a tutorial to learn more about all the features
included in Cloud Shell? (Type N to quit) [Y|N] N

If you want to run it in the future you can just type cstutorial.

What is cstutorial?

Oracle provides a built-in interactive learning tutorial for Cloud Shell.

You can launch it anytime using:

cstutorial

The tutorial explains:

OCI CLI basics
File management
Cloud Shell features
Editor usage
Terminal customization
Working with OCI resources

Checking OCI CLI in Cloud Shell

One of the biggest advantages of Cloud Shell is that the OCI CLI is already installed and configured.

Running the command:

oci

displays the OCI CLI help menu:

karandodwa@cloudshell:~ (ap-mumbai-1)$ oci
Usage: oci [OPTIONS] COMMAND [ARGS]...

What is OCI CLI?

OCI CLI (Oracle Cloud Infrastructure Command Line Interface) is a tool that allows you to manage OCI services directly from the terminal.

Instead of using the web console, administrators can automate operations using scripts and commands.

OCI CLI Architecture

OCI CLI commands generally follow this structure:

oci <service> <resource> <action>

Example

oci iam user list --compartment-id <compartment_ocid>

This command:

Uses the IAM service
Works with users
Performs the list action

Interactive OCI CLI Mode

OCI CLI supports an interactive mode that helps users with command completion and syntax guidance.

Example:

oci -i

This mode is very useful for beginners learning OCI CLI commands.

Important OCI CLI Options

Check OCI CLI Version

oci --version

Display Output in Table Format

oci iam region list --output table

Enable Debug Mode

oci --debug

Useful for troubleshooting API requests and authentication issues.

Specify OCI Region

oci --region ap-mumbai-1

Allows commands to target a specific OCI region.

OCI CLI Services Available in Cloud Shell

The OCI CLI supports almost every Oracle Cloud service.

From the output, we can see major service categories such as:

Compute
Networking
Storage
Database
AI Services
Monitoring
Security
DevOps
Kubernetes
Load Balancing
Object Storage
Generative AI

Examples of OCI CLI Services

Service	Description
compute	Manage OCI Compute Instances
network	Manage VCNs, subnets, gateways, route tables
os	Manage Object Storage buckets and files
db	Manage Oracle Database Services
ce	Manage Kubernetes Engine (OKE)
vault	Manage OCI Vault and secrets
logging	Manage OCI logging services
generative-ai	Manage OCI Generative AI services

Example OCI CLI Commands

List OCI Regions

oci iam region list

List Compartments

oci iam compartment list --all

List Compute Instances

oci compute instance list \
--compartment-id <compartment_ocid>

List Object Storage Buckets

oci os bucket list \
--compartment-id <compartment_ocid> \
--namespace-name <namespace>

Why Use Oracle Cloud Shell?

1. No Local Installation

No need to install:

OCI CLI
Terraform
SDKs
kubectl

2. Pre-Authenticated Environment

Cloud Shell automatically authenticates to OCI using your logged-in OCI identity.

3. Accessible Anywhere

You only need:

A browser
OCI Console access

4. Ideal for Automation

Cloud Shell is excellent for:

Automation scripts
Terraform deployments
Kubernetes management
Database administration
OCI resource management

Cloud Shell for Database Administrators

Oracle Cloud Shell is extremely useful for DBAs working with:

Autonomous Database
Base Database Service
Exadata Cloud Service
Oracle Database@AWS
Oracle Database@Azure

DBAs can use OCI CLI to:

Create databases
Manage backups
Scale databases
Monitor resources
Automate administration tasks

Cloud Shell Security Benefits

No need to store API keys locally
Integrated OCI authentication
Runs inside Oracle Cloud Infrastructure
Secure browser-based access
Temporary compute environment with persistent storage

Conclusion

Oracle Cloud Shell provides a powerful and convenient way to manage Oracle Cloud Infrastructure directly from the browser.

With built-in OCI CLI, SDKs, Terraform, Kubernetes tools, and persistent storage, Cloud Shell eliminates the complexity of setting up local environments.

Whether you are a cloud administrator, developer, DevOps engineer, or DBA, Oracle Cloud Shell offers a secure and efficient environment for managing OCI resources and automating cloud operations.

Combined with OCI CLI support for hundreds of Oracle Cloud services, Cloud Shell becomes an essential productivity tool for modern cloud administration.