Creating and using encrypted volumes

There are two ways in which Portworx volumes can be encrypted and are dependent on how a secret passphrase is provided to PX.

Using per volume secret keys

For encrypting volumes using specific secret keys, you need to provide that key for every create and attach command.

To create an encrypted volume using a specific secret through Portworx CLI, run the following command

# /opt/pwx/bin/pxctl volume create --secure --secret_key key1 enc_vol
Encrypted volume successfully created: 374663852714325215

To create a shared encrypted volume run the following command

# /opt/pwx/bin/pxctl volume create --shared --secret_key key1 --secure --size 10 enc_shared_vol
Encrypted Shared volume successfully created: 77957787758406722

To create an encrypted volume using a specific secret through docker, run the following command

# docker volume create --volume-driver pxd secret_key=key1,name=enc_vol

To create an encrypted shared volume using a specific secret through docker, run the following command

# docker volume create --volume-driver pxd shared=true,secret_key=key1,name=enc_shared_vol

To attach and mount an encrypted volume through docker, run the following command

# docker run --rm -it -v secure=true,secret_key=key1,name=enc_vol:/mnt busybox

Important: Make sure secret key1 was set in DCOS Secrets

Using cluster wide secret key

Follow this guide to setup cluster wide secret key.

Cluster wide secret key is basically a key value pair where the value part is the secret that is used as a passphrase for encrypting volumes. A cluster wide secret key is the default key that can be used to encrypt all the volumes.

To create a volume using a cluster wide secret key run the following command

# /opt/pwx/bin/pxctl volume create --secure --size 10 encrypted_volume
Volume successfully created: 822124500500459627
# /opt/pwx/bin/pxctl volume list
ID	      	     		NAME		SIZE	HA SHARED	ENCRYPTED	IO_PRIORITY	SCALE	STATUS
822124500500459627	 encrypted_volume	10 GiB	1    no yes		LOW		1	up - detached

To create a shared encrypted volume using the cluster wide secret key run the following command

# /opt/pwx/bin/pxctl volume create --shared --secure --size 10 encrypted_volume
Encrypted Shared volume successfully created: 77957787758406722

You can attach and mount the encrypted volume

# /opt/pwx/bin/pxctl host attach encrypted_volume
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
# /opt/pwx/bin/pxctl host mount encrypted_volume /mnt
Volume encrypted_volume successfully mounted at /mnt

When using cluster wide secret key, the secret key does not need to be provided in any of the commands. When no secret key is provided in the pxctl volume commands, PX defaults to using the cluster wide secret key if set

Important: Make sure the cluster wide secret key is set when you are setting up Portworx with DCOS Secrets