awskms-vol-enc
You can use one of the following methods to encrypt Portworx volumes with AWS KMS, depending on how you provide the secret password to Portworx:
- Encrypt volumes using per volume secrets
- Encrypt volumes using named secrets
- Encrypt volumes using a cluster-wide secret
Encrypt volumes using per volume secrets
Use per volume secrets to encrypt each volume with a different key. As a result, each volume uses its unique passphrase for encryption. Portworx relies on the AWS KMS APIs to generate a Data Encryption key.
-
Create a volume. Enter the
pxctl volume create
command specifying the--secure
flag with the name of your encrypted volume (this example usesenc_vol
):pxctl volume create --secure enc_vol
Docker users:
-
Enter the following command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secure=true,name=enc_vol
-
Enter the following command to attach and mount an encrypted volume:
docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox
Encrypt volumes using named secrets
You can use a named secret to specify the secret Portworx uses to encrypt and decrypt your volumes.
You can not use named secrets to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.
-
List your named secrets by running the following command:
pxctl secrets aws list-secrets
-
Generate a new AWS KMS data key and associate it with a unique name. Enter the following
pxctl secrets aws generate-kms-data-key
command, specifying the--secret_id
flag with the name of the data key, which must be unique. This example usesmy-unique-secret
:pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
-
Create a new encrypted volume. Enter the
pxctl volume create
command, specifying the following arguments:--secure
--secret-key
with the name of your named secret (this example usesmy-unique-secret
)- The name of the encrypted volume (this example uses
enc_vol
)
pxctl volume create --secure --secret_key my-unique-secret enc_vol
Docker users: Use the following command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secret_key=my-unique-secret,name=enc_vol
-
Attach your volume by entering the
pxctl host attach
command with the following arguments:- The name of your encrypted volume (this example uses
enc_vol
) - The
--secret-key
flag with thedefault
vaule
pxctl host attach enc_vol --secret_key default
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
- The name of your encrypted volume (this example uses
-
Mount the volume by entering the
pxctl host mount
command with the following parameters:- The name of your encrypted volume (this example uses
enc_vol
) - The mount point (this example uses
mnt
)
pxctl host mount enc_vol /mnt
Volume enc_vol successfully mounted at /mnt
Docker users: To attach and mount an encrypted volume, enter the following command:
docker run --rm -it -v secure=true,secret_key=my-unique-secret,name=enc_vol:/mnt busybox
- The name of your encrypted volume (this example uses
Encrypt volumes using a cluster-wide secret
Set the default cluster-wide secret, and use it to encrypt your volumes.
Starting with version 2.1, cluster-wide secrets have been deprecated. However, any volume encrypted with a cluster-wide secret can still be used in newer versions of Portworx.
You can use the following procedure to create new encrypted volumes using your existing cluster-wide secret:
-
Generate a new AWS KMS data key and associate it with a unique name. Enter the following
pxctl secrets aws generate-kms-data-key
command, specifying the--secret_id
flag with the name of the data key, which must be unique (this example usesmy-unique-secret
):pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
-
Enter the
pxctl secrets set-cluster-key
command, specifying the name of your new KMS data key (this example usesmy-unique-secret
):pxctl secrets set-cluster-key my-unique-secret
-
Create a new volume by following the steps in the Encrypt volumes using named secrets section.
You can not use a cluster-wide secret to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.