Create encrypted PVCs
Volume encryption
This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the libgcrypt library to interface with the dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.
All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.
There are two ways in which you can provide the passphrase to Portworx:
-
Per volume secret: Use a unique secret for each encrypted volume
-
Cluster-wide secret: Use a default common secret for all encrypted volumes
Use the following steps to get started with encrypted PVCs
Step 1: Select a secrets provider
Select one of the following secret providers to store your passphrases. This passphrase will then be used for encrypting the PVCs. If you have already setup a secrets provider, goto Step 2
📄 IBM key management services
Instructions on using IBM Key Protect or HPCS with Portworx.
📄 AWS KMS
Instructions on using AWS KMS with Portworx(Secrets) with Portworx.
📄 Kubernetes Secrets
Instructions on using Kubernetes secrets with Portworx.
📄 Vault
Instructions on using Vault key management with Portworx.
📄 Vault Transit
Instructions on using Vault key management with Portworx.
📄 Google Cloud KMS
Instructions on using Google Cloud KMS with Portworx.
📄 Azure Key Vault
Instructions on using Azure key vault(Secrets) with Portworx.
Step 2: Select PVC encryption method
📄 Encrypting Kubernetes PVCs with AWS KMS
Instructions on using AWS KMS with Portworx for encrypting PVCs.
📄 Encrypting Kubernetes PVCs with IBM key management services
Instructions on using IBM key management services with Portworx for encrypting PVCs in Kubernetes.
📄 Encrypting Kubernetes PVCs with Google Cloud KMS
Instructions on using Google Cloud KMS with Portworx for encrypting PVCs.
📄 Encrypting PVCs using annotations with Kubernetes Secrets
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs using annotations.
📄 Encrypting PVCs using StorageClass with Kubernetes Secrets
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs using StorageClass.
📄 Encrypting PVCs using CSI and Kubernetes Secrets
Instructions on using Kubernetes Secrets with Portworx for encrypting PVCs on CSI using StorageClass.
📄 Encrypting Kubernetes PVCs with Vault
Instructions on using Vault with Portworx for encrypting PVCs in Kubernetes.
📄 Encrypting Kubernetes PVCs with Vault Transit
Instructions on using Vault Transit with Portworx for encrypting PVCs in Kubernetes.