Encrypting Kubernetes PVCs with Vault Transit
Portworx Encrypted Volumes
Portworx has two different kinds of encrypted volumes:
Encrypted Volumes
Encrypted volumes are regular volumes which can be accessed from only one node.
Encrypted Sharedv4 Volumes
Encrypted sharedv4 volume allows access to the same encrypted volume from multiple nodes.
Encryption using StorageClass
In this method, each volume will use its own unique passphrase for encryption. Portworx relies on vault transit secrets engine to generate a Data Encryption Key. This key will then be used to encrypt and decrypt your volumes.
Step 1: Create a StorageClass
Create a storage class with the secure parameter set to true.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
secure: "true"
repl: "3"
To create a sharedv4 encrypted volume set the sharedv4 parameter to true as well.
Step 2: Create a PVC
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-mysql-pvc
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
If you do not want to specify the secure flag in the StorageClass, but you want to encrypt the PVC using that StorageClass, then create the PVC as below:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-pvc
annotations:
px/secure: "true"
spec:
storageClassName: portworx-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
Encryption using PVC annotations with Vault Namespaces
If you have Vault Namespaces enabled and your secret resides inside a specific namespace, you must provide the name of that namespace and the secret key to Portworx.
Step 1: Create a StorageClass
Create a storage class with the secure parameter set to true.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
secure: "true"
repl: "3"
To create a sharedv4 encrypted volume set the sharedv4 parameter to true as well.
Step 2: Create a PVC with annotations
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-mysql-pvc
annotations:
px/vault-namespace: <your-vault-namesapce>
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
The PVC requires an extra annotation px/vault-namespace to indicate the Vault namespace where the secret key resides. If your key resides in the global vault namespace
set in Portworx using the parameter VAULT_NAMESPACE, you don't need to specify this annotation. However if the key resides in any other namespace then this annotation is
required.
Encryption using PVC annotations with cluster wide secrets
Step 1: Create cluster wide secret
A cluster wide secret key is a common key that can be used to encrypt all your volumes. This common key needs to be pre-created in your KMS provider. You can set the cluster secret key using the following command:
pxctl secrets set-cluster-key
Enter cluster wide secret key: *****
Successfully set cluster secret key!
In the above prompt you need to enter the secret key that you created in your KMS. This command needs to be run just once for the cluster.
Step 2: Create a StorageClass
Create a storage class with the secure parameter set to true.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
secure: "true"
repl: "3"
To create a sharedv4 encrypted volume set the sharedv4 parameter to true as well.
Step 3: Create a PVC with annotations
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-mysql-pvc
annotations:
px/secret-name: default
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
Portworx only allows default key for px/secret-name annotation for cluster wide secrets