Encrypt Portworx Volumes
This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the libgcrypt
library to interface with the dm-crypt
module for creating, accessing and managing encrypted devices. Portworx uses the LUKS
format of dm-crypt
and AES-256
as the cipher with xts-plain64
as the cipher mode.
All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.
There are two ways in which you can provide the passphrase to Portworx:
- Per volume secret: Use a unique secret for each encrypted volume
- Cluster-wide secret: Use a default common secret for all encrypted volumes
Depending on your choice of secret provider, follow the instructions to first configure a secret store with Portworx Enterprise to store your passphrases, and then encrypt the PVCs by using the secrets and passphrases.
Secret Provider | Step 1: Set Up a Secret Store | Step 2: Encrypt Volumes Using Secrets |
---|---|---|
IBM key management services | Set Up IBM key management services | |
AWS KMS | Set up AWS KMS | |
Kubernetes Secrets | Set up Kubernetes Secrets | |
Vault | Set up Vault | |
Vault Transit | Set Up Vault Transit | |
Google Cloud KMS | Set up Google Cloud KMS |
You can also set up Azure Key Vault to support volume encryption, similar to other secret providers. However, encryption using named secrets is not supported with Azure Key Vault. For information about setting up Azure Key Vault for volume encryption, Set up Azure Key Vault.
To encrypt volumes, follow the steps in Encrypting Kubernetes PVCs with Google Cloud KMS. Note that the "Encryption using named secrets" option is not supported with Azure Key Vault.