Skip to main content
Version: 3.1

Shared content for all AWS-KMS secret docs - cluster wide intro

From Portworx version 2.1 support for cluster-wide secrets has been deprecated. If you have volumes (using cluster-wide secret) that were created using older Portworx versions, those volumes will still seamlessly work with newer Portworx versions.

However, if you wish to use your previous cluster-wide secret, then you will need to pass its name as shown in the previous Named secrets section.

For example,

Lets say your generated KMS data key was called portworx_secret and you had set it as a your cluster-wide secret using the command pxctl secrets set-cluster-key portworx_secret.

To create new volumes using that same secret you will need to follow the previous Named secret section and provide the name portworx_secret as show above.

Again, existing volumes created with cluster wide, will still work without providing portworx_secret.

note
  • For newer volumes if you do not provide any secret key, they will use per volume encryption and will NOT default to using cluster wide secret
  • This method for encrypting volumes is not supported when you want to take a cloud backup of an encrypted volume or migrate encrypted volumes between two different Portworx clusters.