Skip to main content
Version: 3.2

Kubernetes Secrets

Portworx can integrate with Kubernetes Secrets to store your encryption keys/secrets and credentials. These encryption keys or secrets also support encrypting data at rest. Moreover, Portworx can utilize Kubernetes Secrets to store credentials and encryption keys associated with your cloud provider services.

The instructions on this page guides you to configure Portworx with Kubernetes Secrets.

Set Kubernetes Secrets as the secrets store

While installing Portworx on Kubernetes using the StorageCluster spec via Portworx Central, select Kubernetes from the Secrets Store Type list under Advanced Settings. To know how to generate Portworx spec, see the Portworx Install section.

Create secrets with Kubernetes

The following section describes the key generation process with Portworx and Kubernetes which can be used for encrypting volumes.

Set cluster wide secret key

A cluster wide secret key is a common key that can be used to encrypt all your volumes. Create a cluster wide secret in Kubernetes using kubectl command. Use the same <px-namespace> namespace on which you've installed Portworx.

NAMESPACE=<px-namespace>
kubectl -n ${NAMESPACE} create secret generic px-vol-encryption \
--from-literal=<cluster-wide-secret-key>=<value>

This command creates a secret named px-vol-encryption within the namespace you specify as <px-namespace>. This secret stores your cluster-wide encryption key. Replace <value> with the value of your encryption key.

Provide the cluster wide secret key to Portworx, that acts as the default encryption key for all volumes.

PX_POD=$(kubectl get pods -l name=portworx -n <px-namespace> -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n ${NAMESPACE} -- /opt/pwx/bin/pxctl secrets set-cluster-key \
--secret <cluster-wide-secret-key>
note

The cluster wide key is the secret name where the encrypt key exists. It does not contain the value to encrypt.

Use Kubernetes Secrets with Portworx