Skip to main content
Version: 3.1

kubernetes-secrets-pvc-encryption-using-storageclass

Portworx Encrypted Volumes

Portworx has two different kinds of encrypted volumes:

  • Encrypted Volumes

    Encrypted volumes are regular volumes which can be accessed from only one node.

  • Encrypted Sharedv4 Volumes

    Encrypted sharedv4 volume allows access to the same encrypted volume from multiple nodes.

Using a StorageClass parameter, you can tell Portworx to encrypt all PVCs created using that StorageClass. Portworx uses a cluster wide secret to encrypt all the volumes created using the secure StorageClass.

Step 2: Create a StorageClass

Create a storage class with the secure parameter set to true.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: pxd.portworx.com
parameters:
secure: "true"
repl: "3"

To create a sharedv4 encrypted volume set the sharedv4 parameter to true as well.

Step 3: Create Persistent Volume Claim

Create a PVC that uses the above px-secure-sc storage class.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-pvc
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

Step 4: Verify the volume

Once the PVC has been created, verify the volume created in Portworx is encrypted:

ID                 NAME                                      ...  ENCRYPTED  ...
10852605918962284 pvc-xxxxxxxx-xxxx-xxxx-xxxx-080027ee1df7 ... yes ...