Manage your secrets using pxctl
This section provides instructions for managing your authentication credentials and endpoints with the pxctl secrets command. Currently, pxctl provides support for the following secret store providers:
- AWS KMS
- Google Cloud KMS
- KVDB
With Portworx, secrets are neither stored locally nor displayed. Instead, the credentials are stored as part of the secret endpoint given to Portworx for persisting authentication across reboots. You can manage your secrets through the pxctl secrets command. To see the list of available sub-commands and flags, run:
pxctl secrets --help
Manage Secrets. Supported secret stores AWS KMS | Vault | DCOS Secrets | IBM Key Protect | Kubernetes Secrets | Google Cloud KMS
Usage:
pxctl secrets [flags]
pxctl secrets [command]
Available Commands:
aws AWS secret-endpoint commands
dump-cluster-wide-secret Dumps the cluster-wide secret and the associated key for this cluster.
gcloud Google Cloud KMS commands
ibm IBM Key Protect commands
kvdb kvdb secret-endpoint commands
set-cluster-key Sets an existing secret as a cluster-wide (default) secret to be used for volume encryption
upload-cluster-wide-secret Uploads the provided key and secret as a cluster-wide (default) secret.
Flags:
-h, --help help for secrets
Global Flags:
--ca string path to root certificate for ssl usage
--cert string path to client certificate for ssl usage
--color output with color coding
--config string config file (default is $HOME/.pxctl.yaml)
--context string context name that overrides the current auth context
-j, --json output in json
--key string path to client key for ssl usage
--output-type string use "wide" to show more details
--raw raw CLI output for instrumentation
--ssl ssl enabled for portworx
Use "pxctl secrets [command] --help" for more information about a command.
Before using the pxctl secrets command to manage your secrets, make sure you've configured a secret store provider. See the Secret store management page for more details.
To use encrypted volumes and ACLs, you need to ensure that Portworx is authenticated with the secrets endpoint.
AWS KMS
You can use the pxctl CLI tool to:
- Generate AWS KMS secrets
- List your AWS KMS secrets.
Generate a secret
To generate a new KMS Data Key, run the pxctl secrets aws generate-kms-data-key command with the --secret_id flag as shown in the following example:
pxctl secrets aws generate-kms-data-key --secret_id mysecret
KMS Data Key successfully created.
List your AWS KMS secrets
You can list your AWS KMS secrets with:
pxctl secrets aws list-secrets
For more details on how to create data keys in AWS KMS and use them to encrypt your Portworx volumes, see the AWS KMS page.
Google Cloud KMS
With pxctl, you can create and list Google Cloud KMS secrets.
Create a new secret
You can create a new secret in Google Cloud KMS running pxctl secrets gcloud create-secret with the following flags:
secret-idwith the id of the secret.passphrasewith the secret passphrase Portworx will associate withsecret-id.
As an example, here's how you can generate a new secret in Google Cloud KMS:
pxctl secrets gcloud create-secret --secret_id mysecret --passphrase mysecretpassphrase
Created secret with id: mysecret
This creates a new key-value pair mysecret=mysecretpassphrase. Portworx will use Google Cloud KMS to encrypt the passphrase mysecretpassphrase and store it in its internal metadata store. To use this passphrase for encrypting volumes, you have to provide the secret ID mysecret while creating/attaching the volume.
Known issue
Fixed in Portworx Enterprise version 2.10.1
- When the passphrase is over 200 bytes long, users might see the error
crypto/rsa: message too long for RSA public key size.
List existing secrets
To list your secrets, run:
pxctl secrets gcloud list-secrets
Kubernetes Secrets
To find out how to configure Portworx with Kubernetes Secrets, see the Kubernetes Secrets page.
Vault
To install and configure Vault, see the Vault install page.
For a step-by-step guide on how you can connect your Portworx cluster to a Vault endpoint and then use the Vault endpoint to store secrets, see theVault page.
KVDB
You can use the pxctl CLI utility to store, list and retrieve KVDB secrets.
Store a secret
To store a secret in KVDB you can run the pxctl secrets kvdb put-secret command and pass it the following flags:
--secret_idwith the ID of the secret--secret_valuewith the value of the secret.
Here's an example:
pxctl secrets kvdb put-secret --secret_id my_secret_id secret_id --secret_value my_secret_value
Secret Put succeeded
List existing secrets
Use the following commands to list your secrets:
pxctl secrets kvdb list-secrets
Secret ID
my_secret_id
Retrieve a secret
You can retrieve a secret by running pxctl secrets kvdb get-secret with the --secret_id flag as follows:
pxctl secrets kvdb get-secret --secret_id my_secret_id
Secret: [my_secret_id]:[my_secret]
IBM Key Protect
You can use pxctl to list the IDs of your IBM Key Protect secrets by running the following command:
pxctl secrets ibm list-secrets
Set a cluster-wide key
To set an existing secret as the default cluster-wide secret for volume encryption, run the pxctl secrets set-cluster-key command and pass it the following flags:
--secretwith the secret ID of an existing secret,--overwriteto overwrite the existing cluster-wide secret. Use this command with caution because any existing volumes encrypted with the old secret will be unusable.
The following example sets my_secret_id as the cluster-wide secret:
pxctl secrets set-cluster-key --secret my_secret_id
Dump and upload cluster-wide secrets
See the dump and upload cluster-wide secrets page for details.