(Other Schedulers) Encrypting Portworx Volumes using Vault


Portworx Encrypted Volumes

Portworx has two different kinds of encrypted volumes:

  • Encrypted Volumes

Encrypted volumes are regular volumes which can be accessed from only one node.

  • Encrypted Shared Volumes

Encrypted shared volume allows access to the same encrypted volume from multiple nodes.

Creating and using encrypted volumes

There are two ways in which Portworx volumes can be encrypted and are dependent on how a secret passphrase is provided to Portworx.

Using per volume secret keys

For encrypting volumes using specific secret keys, you need to provide that key for every create and attach command.

To create an encrypted volume using a specific secret through Portworx CLI, run the following command:

pxctl volume create --secure --secret_key key1 enc_vol
Encrypted volume successfully created: 374663852714325215

To create a shared encrypted volume run the following command:

pxctl volume create --shared --secret_key key1 --secure --size 10 enc_shared_vol
Encrypted Shared volume successfully created: 77957787758406722

To create an encrypted volume using a specific secret through docker, run the following command:

docker volume create --volume-driver pxd secret_key=key1,name=enc_vol

To create an encrypted shared volume using a specific secret through docker, run the following command:

docker volume create --volume-driver pxd shared=true,secret_key=key1,name=enc_shared_vol

To attach and mount an encrypted volume through docker, run the following command:

docker run --rm -it -v secure=true,secret_key=key1,name=enc_vol:/mnt busybox

Important: Make sure secret key1 exists in Vault

Using cluster wide secret key

A cluster wide secret key is a common key that can be used to encrypt all your volumes. You can set the cluster secret key using the following command.

pxctl secrets set-cluster-key
Enter cluster wide secret key: *****
Successfully set cluster secret key!

This command needs to be run just once for the cluster. If you have added the cluster secret key through the config.json, the above command will overwrite it. Even on subsequent Portworx restarts, the cluster secret key in config.json will be ignored for the one set through the CLI.

Cluster wide secret key is basically a key value pair where the value part is the secret that is used as a passphrase for encrypting volumes. A cluster wide secret key is the default key that can be used to encrypt all the volumes.

To create a volume using a cluster wide secret key run the following command

pxctl volume create --secure --size 10 encrypted_volume
Volume successfully created: 822124500500459627
pxctl volume list
ID	      	     		NAME		SIZE	HA SHARED	ENCRYPTED	IO_PRIORITY	SCALE	STATUS
822124500500459627	 encrypted_volume	10 GiB	1    no yes		LOW		1	up - detached

To create a shared encrypted volume using the cluster wide secret key run the following command

pxctl volume create --shared --secure --size 10 encrypted_volume
Encrypted Shared volume successfully created: 77957787758406722

You can attach and mount the encrypted volume

pxctl host attach encrypted_volume
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
pxctl host mount encrypted_volume /mnt
Volume encrypted_volume successfully mounted at /mnt

When using cluster wide secret key, the secret key does not need to be provided in any of the commands. When no secret key is provided in the pxctl volume commands, Portworx defaults to using the cluster wide secret key if set

Important: Make sure the cluster wide secret key is set when you are setting up Portworx with Vault


Last edited: Friday, Jun 12, 2020