Kubernetes Secrets in ARO
Portworx can integrate with Kubernetes Secrets to store your encryption keys/secrets and credentials. These encryption keys or secrets also support encrypting data at rest. Moreover, Portworx can utilize Kubernetes Secrets to store credentials and encryption keys associated with your cloud provider services.
The instructions on this page guides you to configure Portworx with Kubernetes Secrets.
Set Kubernetes Secrets as the secrets store
While installing Portworx on Kubernetes using the StorageCluster spec via Portworx Central, select Kubernetes from the Secrets Store Type list under Advanced Settings. To know how to generate Portworx spec, see the Portworx Install section.
While installing Portworx on Kubernetes using the StorageCluster spec via Portworx Central, select Kubernetes from the Secrets Store Type list under Advanced Settings. To know how to generate Portworx spec, see the Portworx Install section.
Create secrets with Kubernetes
The following section describes the key generation process with Portworx and Kubernetes which can be used for encrypting volumes.
Set cluster wide secret key
A cluster wide secret key is a common key that can be used to encrypt all your volumes. Create a cluster wide secret in Kubernetes using oc command. Use the same <px-namespace> namespace on which you've installed Portworx.
NAMESPACE=<px-namespace>
oc -n ${NAMESPACE} create secret generic px-vol-encryption \
  --from-literal==<cluster-wide-secret-key>=<value>
This command creates a secret named px-vol-encryption within the namespace you specify as <px-namespace>. This secret stores your cluster-wide encryption key. Replace <value> with the value of your encryption key.
Provide the cluster wide secret key to Portworx, that acts as the default encryption key for all volumes.
PX_POD=$(oc get pods -l name=portworx -n <px-namespace> -o jsonpath='{.items[0].metadata.name}')
oc exec $PX_POD -n ${NAMESPACE} -- /opt/pwx/bin/pxctl secrets set-cluster-key \
  --secret <cluster-wide-secret-key>
The cluster wide key is the secret name where the encrypt key exists. It does not contain the value to encrypt.
Use Kubernetes Secrets with Portworx
📄️ Encrypting PVCs using annotations with Kubernetes Secrets
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs using annotations
📄️ PVC Encryption with CSI and Kubernetes
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs on CSI using StorageClass
📄️ Encrypting PVCs using StorageClass with Kubernetes Secrets
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs using StorageClass