Skip to main content
Version: 3.5

Vault Transit

Portworx can be integrated with Vault Transit to encrypt volumes. This page guides you to connect a Portworx cluster to a Vault development server and enable Vault Transit, which can be used to store secrets for encrypting volumes.

What is Vault Transit?

Vault Transit manages key generation for in-transit data encryption. With Vault Transit, you do not need to set a cluster wide secret to encrypt volumes and PVCs. By default, Portworx uses generated keys from Vault Transit as passphrase for volume encryption.

Prerequisites

Configure Vault Transit environment

  1. Run the following command to enable the Transit secrets engine:
vault secrets enable transit
  1. If you configured Vault strictly with policies, then the Vault Transit token provided to Portworx should follow the following policies:
# Enable transit secrets engine
path "sys/mounts/transit" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# To read enabled secrets engines
path "sys/mounts" {
  capabilities = [ "read" ]
}

# Manage the transit secrets engine
path "transit/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Read and List capabilities on mount to determine which version of kv backend is supported
path "sys/mounts/*"
{
capabilities = ["read", "list"]
}

# V1 backends (Using default backend)
# Provide full access to the portworx subkey
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}

# V1 backends (Using custom backend)
# Provide full access to the portworx subkey
# Provide -> VAULT_BACKEND_PATH=custom-backend (required)
path "custom-backend/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# V2 backends (Using default backend )
# Provide full access to the data/portworx subkey
path "secret/data/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# V2 backends (Using custom backend )
# Provide full access to the data/portworx subkey
# Provide -> VAULT_BACKEND_PATH=custom-backend (required)
path "custom-backend/data/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}

Set the Vault Transit secrets engine for Portworx

Depending on whether you are performing a fresh install or modifying an existing installation, proceed to one of the following sections.

New Installation

When generating the Portworx specification file, select Vault Transit from the Secrets Store Type dropdown menu of Advanced Settings on the Customize tab.

Existing Installation

Edit the StorageCluster object by setting the value of the specs.secretsProvider field to vault-transit.

spec:
  secretsProvider: vault-transit

Editing Operator spec will restart all Portworx pods.

Authenticate Portworx

Use one of the supported methods to authenticate Portworx with Vault Transit.

(Optional) Customize the key path

Vault Transit generates the keys by writing to a transit key path. For example:

$ vault write -f transit/keys/my-key
Success! Data written to: transit/keys/my-key

By default, Portworx uses the transit key path pwx-encryption-key (full path: transit/keys/pwx-encryption-key) for key generation. To use a custom Vault Transit key path, provide the base64-encoded value in the px-vault Secret under the VAULT_ENCRYPTION_KEY field.

apiVersion: v1
kind: Secret
metadata:
  name: px-vault
  namespace: portworx
type: Opaque
data:
  VAULT_ADDR: (required)<base64 encoded value of the vault endpoint address>
  VAULT_TOKEN: (required)<base64 encoded value of the vault token>
  VAULT_CACERT: (recommended)<base64 encoded file path where the CA Certificate is present on all the nodes>
  VAULT_CAPATH: (recommended)<base64 encoded file path where the Certificate Authority is present on all the nodes>
  VAULT_CLIENT_CERT: (recommended)<base64 encoded file path where the Client Certificate is present on all the nodes>
  VAULT_CLIENT_KEY: (recommended)<base64 encoded file path where the Client Key is present on all the nodes>
  VAULT_TLS_SERVER_NAME: (recommended)<base64 encoded value of the TLS server name>
  VAULT_ENCRYPTION_KEY: (optional)<base64 encoded value of the transit key path for portworx>
  VAULT_NAMESPACE: (optional)<base64 encoded value of the global vault namespace for portworx>
note

Portworx does not recommend changing the value of VAULT_ENCRYPTION_KEY once deployed as the previous secret keys and volumes might be inoperative if the key path is changed.

Use Vault Transit with Portworx