Encrypt PVCs in Rancher using StorageClass with Kubernetes Secrets
Portworx Encrypted Volumes
Portworx has two different kinds of encrypted volumes:
-
Encrypted Volumes
Encrypted volumes are regular volumes which can be accessed from only one node.
-
Encrypted Sharedv4 Volumes
Encrypted sharedv4 volume allows access to the same encrypted volume from multiple nodes.
Using a StorageClass parameter, you can tell Portworx to encrypt all PVCs created using that StorageClass. Portworx uses a cluster wide secret to encrypt all the volumes created using the secure StorageClass.
Step 1: Create cluster wide secret key
A cluster wide secret key is a common key that points to a secret value/passphrase which can be used to encrypt all your volumes.
Create a cluster wide secret in Kubernetes, if not already created:
kubectl -n portworx create secret generic px-vol-encryption \
--from-literal=cluster-wide-secret-key=<value>
Note that the cluster wide secret has to reside in the px-vol-encryption
secret under the portworx
namespace.
Now you have to give Portworx the cluster wide secret key, that acts as the default encryption key for all volumes.
PX_POD=$(kubectl get pods -l name=portworx -n <px-namespace> -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n <px-namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
--secret cluster-wide-secret-key
Step 2: Create a StorageClass
Create a storage class with the secure
parameter set to true
.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: pxd.portworx.com
parameters:
secure: "true"
repl: "3"
To create a sharedv4 encrypted volume set the sharedv4
parameter to true
as well.
Step 3: Create Persistent Volume Claim
Create a PVC that uses the above px-secure-sc
storage class.
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-pvc
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
Step 4: Verify the volume
Once the PVC has been created, verify the volume created in Portworx is encrypted:
PX_POD=$(kubectl get pods -l name=portworx -n <px-namespace> -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n <px-namespace> -- /opt/pwx/bin/pxctl volume list
ID NAME ... ENCRYPTED ...
10852605918962284 pvc-xxxxxxxx-xxxx-xxxx-xxxx-080027ee1df7 ... yes ...