Skip to main content
Version: 3.1

kubernetes-secrets-pvc-encryption-using-annotations

Portworx Encrypted Volumes

Portworx has two different kinds of encrypted volumes:

  • Encrypted Volumes

    Encrypted volumes are regular volumes which can be accessed from only one node.

  • Encrypted Sharedv4 Volumes

    Encrypted sharedv4 volume allows access to the same encrypted volume from multiple nodes.

PVC level encryption is achieved using following PVC annotations:

  • px/secure - Boolean which tells to secure the PVC or not
  • px/secret-name - Name of the secret used to encrypt
  • px/secret-namespace - Namespace of the secret (Kubernetes Secrets only)
  • px/secret-key - Key to be used in the secret (Kubernetes Secrets only)

Encryption using cluster wide secret

Step 2: Create the secure PVC

If your Storage Class does not have the secure flag set, but you want to encrypt the PVC using the same Storage Class, then create the PVC as below:

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-pvc
annotations:
px/secure: "true"
spec:
storageClassName: portworx-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

As there is no px/secret-name annotation specified, Portworx will default to the cluster wide secret to encrypt this PVC. If the cluster wide secret is not set, the volume creation will fail until the key is set.

Similar to the above example, if you want to use a Storage Class with secure parameter set, but do not want to encrypt a certain PVC, then set the px/secure annotation to false.

note

If you are running Kubernetes version older than 1.9.4 (or < 1.8.9 in Kubernetes 1.8), then the PVC name has to be in ns.<namespace_of_pvc>-name.<identifier_for_pvc> format to use the PVC-level encryption feature.

Encryption using custom secret key

Kubernetes secrets

You can encrypt your PVC using a custom secret as follows:

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-mysql-pvc
annotations:
px/secret-name: volume-secrets
px/secret-namespace: portworx
px/secret-key: mysql-pvc
spec:
storageClassName: portworx-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

The encrypted PVC will use the key mysql-pvc under the Kubernetes secret volume-secrets in portworx namespace. If the secret key is not present, then the volume creation will fail until the key is created.

From the annotations in the above PVC, only px/secret-name is mandatory.

  • If you do not specify the px/secret-namespace, Portworx will look for the secret in the PVC's namespace.
  • If you do not specify the px/secret-key, Portworx will look for a key with the PVC name.

By default, Portworx has get and list permissions for Kubernetes secrets from all the namespaces. In the above example, you can replace the px/secret-namespace annotation with a namespace of your choice where you have created the Kubernetes secret.