Portworx can integrate with Azure Key Vault Secrets to store your encryption secrets, credentials or passwords. This guide will get a Portworx cluster connected to a Azure Key Vault. The Azure Key Vault could be used to store secrets that will be used for encrypting volumes.
Setting up Azure Key Vault
Peruse this section for help on setting up Azure Key Vault in your setup. You will also require to register and authenticate application with Azure Key Vault.
- Please follow doc to register application with azure active directory
- Please follow doc to grant Azure Key Vault permission to your registered app.
Portworx will need application that has Azure Key Vault
set/get/list/delete secrets permissions.
Following are the authentication details required by Portworx to connect Azure Key Vault -
AZURE_VAULT_URL: Azure Key Vault URL
AZURE_TENANT_ID: Azure Active Directory ID
AZURE_CLIENT_ID: Azure application ID which is registered with Azure active directory and has access to azure key vault mentioned in
AZURE_CLIENT_SECRET: Azure application secret id, you may need to generate one if not created already. Follow doc to generate new secret key for your application
AZURE_ENVIRONMENT(optional): Azure environment or az cloud list. Default cloud name is
You can retrieve the value of the
AZURE_ENVIRONMENT variable by entering the following command:
az account show | jq '.environmentName'
If you are installing Portworx on Kubernetes, when generating the Portworx Kubernetes spec file from the Portworx spec generator page in Portworx Central:
- Pass in all the above variables as is in the Environment Variables section.
Azure Key Vaultfrom the
Secrets Store Typelist under
To generate Portworx spec for Kubernetes, refer instructions, click here.
- Use argument
-secret_type azure-kv -cluster_secret_key <secret-id>when starting Portworx to specify the secret type as vault and the cluster-wide secret key.
-edocker option to expose the Azure Key Vault environment variables.
Based on your installation method provide the
-secret_type azure-kv input argument and environment variable and restart Portworx on all the nodes.
Portworx supports only the Azure KeyVault Secrets
Portworx does not support Azure KeyVault Keys soft/hard.
Setting cluster wide secret key
A cluster wide secret key is a common key that can be used to encrypt all your volumes. You can set the cluster secret key using the following command.
/opt/pwx/bin/pxctl secrets set-cluster-key --secret <cluster-wide-secret-key>
This command needs to be run just once for the cluster. If you have added the cluster secret key through the config.json, the above command will overwrite it. Even on subsequent Portworx restarts, the cluster secret key in config.json will be ignored for the one set through the CLI.
Make sure that the secret key has been created in Azure Key Vault Secrets.