Skip to main content
Version: 3.1

awskms-vol-enc

You can use one of the following methods to encrypt Portworx volumes with AWS KMS, depending on how you provide the secret password to Portworx:

Encrypt volumes using per volume secrets

Use per volume secrets to encrypt each volume with a different key. As a result, each volume uses its unique passphrase for encryption. Portworx relies on the AWS KMS APIs to generate a Data Encryption key.

  1. Create a volume. Enter the pxctl volume create command specifying the --secure flag with the name of your encrypted volume (this example uses enc_vol):

    pxctl volume create --secure  enc_vol

Docker users:

  1. Enter the following command to create an encrypted volume named enc_vol:

    docker volume create --volume-driver pxd secure=true,name=enc_vol
  2. Enter the following command to attach and mount an encrypted volume:

    docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox

Encrypt volumes using named secrets

You can use a named secret to specify the secret Portworx uses to encrypt and decrypt your volumes.

note

You can not use named secrets to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.

  1. List your named secrets by running the following command:

    pxctl secrets aws list-secrets
  2. Generate a new AWS KMS data key and associate it with a unique name. Enter the following pxctl secrets aws generate-kms-data-key command, specifying the --secret_id flag with the name of the data key, which must be unique. This example uses my-unique-secret:

    pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
  3. Create a new encrypted volume. Enter the pxctl volume create command, specifying the following arguments:

    • --secure
    • --secret-key with the name of your named secret (this example uses my-unique-secret)
    • The name of the encrypted volume (this example uses enc_vol)
    pxctl volume create --secure --secret_key my-unique-secret enc_vol

    Docker users: Use the following command to create an encrypted volume named enc_vol:

    docker volume create --volume-driver pxd secret_key=my-unique-secret,name=enc_vol
  4. Attach your volume by entering the pxctl host attach command with the following arguments:

    • The name of your encrypted volume (this example uses enc_vol)
    • The --secret-key flag with the default vaule
    pxctl host attach enc_vol --secret_key default
    Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
  5. Mount the volume by entering the pxctl host mount command with the following parameters:

    • The name of your encrypted volume (this example uses enc_vol)
    • The mount point (this example uses mnt)
    pxctl host mount enc_vol /mnt
    Volume enc_vol successfully mounted at /mnt

    Docker users: To attach and mount an encrypted volume, enter the following command:

    docker run --rm -it -v secure=true,secret_key=my-unique-secret,name=enc_vol:/mnt busybox

Encrypt volumes using a cluster-wide secret

Set the default cluster-wide secret, and use it to encrypt your volumes.

Starting with version 2.1, cluster-wide secrets have been deprecated. However, any volume encrypted with a cluster-wide secret can still be used in newer versions of Portworx.

You can use the following procedure to create new encrypted volumes using your existing cluster-wide secret:

  1. Generate a new AWS KMS data key and associate it with a unique name. Enter the following pxctl secrets aws generate-kms-data-key command, specifying the --secret_id flag with the name of the data key, which must be unique (this example uses my-unique-secret):

    pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
  2. Enter the pxctl secrets set-cluster-key command, specifying the name of your new KMS data key (this example uses my-unique-secret):

    pxctl secrets set-cluster-key my-unique-secret
  3. Create a new volume by following the steps in the Encrypt volumes using named secrets section.

note

You can not use a cluster-wide secret to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.