Set Up Key Management and Encrypt Portworx Volumes
This topic provides an overview of how to configure a secret store in Portworx Enterprise and to encrypt volumes using secrets.
Under the hood, Portworx uses the libgcrypt library to interface with the dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.
Encryption is not supported for Portworx raw block devices.
All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store. There are two ways in which you can provide the passphrase to Portworx:
- Per volume secret: Use a unique secret for each encrypted volume
- Cluster-wide secret: Use a default common secret for all encrypted volumes
Depending on your choice of secret provider, follow the instructions to first configure a secret store with Portworx Enterprise to store your passphrases, and then encrypt the PVCs by using the secrets and passphrases.
| Secret Provider | Step 1: Set Up a Secret Store | Step 2: Encrypt Volumes Using Secrets |
|---|---|---|
| AWS KMS | Set up AWS KMS | |
| Azure Key Vault | Set up Azure Key Vault | Encrypting volumes using named secrets is not supported with Azure Key Vault. To encrypt volumes, follow the steps in Encrypting Kubernetes PVCs with Google Cloud KMS. |
| Google Cloud KMS | Set up Google Cloud KMS | |
| IBM key management services | Set Up IBM key management services | |
| Kubernetes Secrets | Set up Kubernetes Secrets | |
| Vault | Set up Vault | |
| Vault Transit | Set Up Vault Transit |