Vault Transit in ROSA
Portworx can be integrated with Vault Transit to encrypt volumes. This page guides you to connect a Portworx cluster to a Vault development server and enable Vault Transit, which can be used to store secrets for encrypting volumes.
What is Vault Transit?
Vault Transit manages key generation for in-transit data encryption. With Vault Transit, you do not need to set a cluster wide secret to encrypt volumes and PVCs. By default, Portworx uses generated keys from Vault Transit as passphrase for volume encryption.
Prerequisites
Configure Vault Transit environment
- Run the following command to enable the Transit secrets engine:
vault secrets enable transit
- If you configured Vault strictly with policies, then the Vault Transit token provided to Portworx should follow the following policies:
# Enable transit secrets engine
path "sys/mounts/transit" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# To read enabled secrets engines
path "sys/mounts" {
capabilities = [ "read" ]
}
# Manage the transit secrets engine
path "transit/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Read and List capabilities on mount to determine which version of kv backend is supported
path "sys/mounts/*"
{
capabilities = ["read", "list"]
}
# V1 backends (Using default backend)
# Provide full access to the portworx subkey
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# V1 backends (Using custom backend)
# Provide full access to the portworx subkey
# Provide -> VAULT_BACKEND_PATH=custom-backend (required)
path "custom-backend/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# V2 backends (Using default backend )
# Provide full access to the data/portworx subkey
path "secret/data/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# V2 backends (Using custom backend )
# Provide full access to the data/portworx subkey
# Provide -> VAULT_BACKEND_PATH=custom-backend (required)
path "custom-backend/data/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
Set the Vault Transit secrets engine for Portworx
Depending on whether you are performing a fresh install or modifying an existing installation, proceed to one of the following sections.
New Installation
When generating the Portworx specification file, select Vault Transit from the Secrets Store Type dropdown menu of Advanced Settings on the Customize tab.
Existing Installation
Edit the StorageCluster
object by setting the value of the specs.secretsProvider
field to vault-transit
.
spec:
secretsProvider: vault-transit
Editing Operator spec will restart all Portworx pods.
Authenticate Portworx
Use one of the supported methods to authenticate Portworx with Vault Transit.
(Optional) Customize the key path
Vault Transit generates the keys by writing to a transit
key path. For example:
$ vault write -f transit/keys/my-key
Success! Data written to: transit/keys/my-key
By default, Portworx uses transit key path pwx-encryption-key
(full path: transit/keys/pwx-encryption-key
) for key generation. To customize the key path with Vault Transit, specify the path as a base64 encoded string in px-vault
Secret object.
VAULT_ENCRYPTION_KEY: pwx-test-key
Portworx does not recommend changing the value of VAULT_ENCRYPTION_KEY
once deployed as the previous secret keys and volumes might be inoperative if the key path is changed.