This guide will give you an overview of how to use Encryption feature for Portworx volumes. Under the hood Portworx uses libgcrypt library to interface with the dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.
All the encrypted volumes are protected by a key. Portworx uses a passphrase as a key to encrypt volumes. It is recommended to store these passphrases in a secure secret store. Currently Portworx integrates with following Secret endpoints
Vault To setup Portworx to work with a Vault endpoint follow these instructions
AWS KMS To setup Portworx to work with AWS KMS follow these instructions
Creating and using encrypted volumes
There are two ways in which Portworx volumes can be encrypted and are dependent on how a secret passphrase is provided to PX.
Using cluster wide secret key
Cluster wide secret key is basically a key value pair where the value part is the secret that is used as a passphrase for encrypting volumes. A cluster wide secret key is a common key that can be used to encrypt all your volumes.
Important: Make sure the cluster wide secret key is set when you are setting up Portworx with one of the supported secret endpoints
# /opt/pwx/bin/pxctl volume create --secure --size 10 encrypted_volume Volume successfully created: 822124500500459627 # /opt/pwx/bin/pxctl volume list ID NAME SIZE HA SHARED ENCRYPTED IO_PRIORITY SCALE STATUS 822124500500459627 encrypted_volume 10 GiB 1 no yes LOW 1 up - detached
You can attach and mount the encrypted volume
# /opt/pwx/bin/pxctl host attach encrypted_volume Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627 # /opt/pwx/bin/pxctl host mount encrypted_volume /mnt Volume encrypted_volume successfully mounted at /mnt
We do not need to specify a secret key during create or attach of a volume as it will by default use the cluster wide secret key for encryption. However you can specify per volume keys which is explained in the next section.
Using per volume secret keys
You can encrypt volumes using different keys instead of the cluster wide secret key. However you need to specify the key for every create and attach commands.
# /opt/pwx/bin/pxctl volume create --secure --secret_key key1 enc_vol Volume successfully created: 374663852714325215 # /opt/pwx/bin/pxctl host attach --secret key1 enc_vol Volume successfully attached at: /dev/mapper/pxd-enc374663852714325215
Important: Make sure secret
key1 exists in the secret endpoint