Encrypting Kubernetes PVCs with Vault Transit in GKE
Portworx Encrypted Volumes
Portworx has two different kinds of encrypted volumes:
-
Encrypted Volumes
Encrypted volumes are regular volumes which can be accessed from only one node.
-
Encrypted Sharedv4 Volumes
Encrypted sharedv4 volume allows access to the same encrypted volume from multiple nodes.
Encryption using StorageClass
In this method, each volume will use its own unique passphrase for encryption. Portworx relies on vault transit secrets engine to generate a Data Encryption Key. This key will then be used to encrypt and decrypt your volumes.
Step 1: Create a StorageClass
Create a storage class with the secure
parameter set to true
.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
secure: "true"
repl: "3"
To create a sharedv4 encrypted volume set the sharedv4
parameter to true
as well.
Step 2: Create a PVC
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-mysql-pvc
spec:
storageClassName: px-secure-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
If you do not want to specify the secure
flag in the StorageClass, but you want to encrypt the PVC using that StorageClass, then create the PVC as below:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: secure-pvc
annotations:
px/secure: "true"
spec:
storageClassName: portworx-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
Encryption using PVC annotations with Vault Namespaces
If you have Vault Namespaces enabled and your secret resides inside a specific namespace, you must provide the name of that namespace and the secret key to Portworx.