ibm-key-protect-vol-enc
You can use one of the following methods to encrypt Portworx volumes with IBM Key Protect, depending on how you provide the secret password to Portworx:
Encrypt volumes using per volume secrets
Use per volume secrets to encrypt each volume with a different key. As a result, each volume uses its unique passphrase for encryption. Portworx uses IBM Key Protect APIs to generate a unique 256-bit passphrase.
Create a volume. Enter the pxctl volume create
command specifying the --secure
flag with the name of your encrypted volume (this example uses enc_vol
)
pxctl volume create --secure enc_vol
Docker users:
-
You can use the following command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secure=true,name=enc_vol
-
To attach and mount an encrypted volume, enter the following command:
docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox
Encrypt volumes using a cluster-wide secret
-
Set the cluster-wide secret key. Enter the following
pxctl secrets set-cluster-key
command specifying the--secret
parameter with your secret passphrase (this example usesmysecretpassphrase
):pxctl secrets set-cluster-key --secret mysecretpassphrase
Successfully set cluster secret key!
noteYou must set the cluster-wide secret only once. If you overwrite the cluster-wide secret, the volumes encrypted with the old secret will become unusable.
If you've specified your cluster wide secret key in the
config.json
file, thepxctl secrets set-cluster-key
command will overwrite it. Even if you restart your cluster, Portworx will use the key you passed as an argument to thepxctl secrets set-cluster-key
command. -
Create a new encrypted volume. Enter the
pxctl volume create
command, specifying the following arguments:--secure
--secret-key
with thedefault
value- the name of the encrypted volume (this example uses
enc_vol
)
pxctl volume create --secure --secret_key default enc_vol
Volume successfully created: 374663852714325215
Docker users: You can use the following example command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secret_key=default,name=enc_vol
-
Enter the
pxctl volume list
command to list your volumes:pxctl volume list
ID NAME SIZE HA SHARED ENCRYPTED IO_PRIORITY SCALE STATUS
822124500500459627 enc_vol 10 GiB 1 no yes LOW 1 up - detached -
Attach your volume by entering the
pxctl host attach
command with the following arguments:- The name of your encrypted volume (this example uses
enc_vol
) - The
--secret-key
flag with thedefault
vaule
pxctl host attach enc_vol --secret_key default
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
- The name of your encrypted volume (this example uses
-
Mount the volume by entering the
pxctl host mount
command with the following parameters:- The name of your encrypted volume (this example uses
enc_vol
) - The mount point (this example uses
mnt
)
pxctl host mount enc_vol /mnt
Volume enc_vol successfully mounted at /mnt
Docker users: Enter the following example command to attach and mount an encrypted volume:
docker run --rm -it -v secure=true,secret_key=default,name=enc_vol:/mnt busybox
- The name of your encrypted volume (this example uses
If you want to migrate encrypted volumes created through this method between two different Portworx clusters, then you must:
- Create a secret with the same name. You can use the
--secret-id
flag to specify the name of your secret, as shown in step 1. - Make sure you provide the same passphrase while generating the secret.