Encrypting PVCs with AWS KMS

• Encryption using Storage Class
  • Step 1: Set a cluster wide secret
  • Step 2: Create a StorageClass
  • Step 3: Create Persistent Volume Claim
  • Step 4: Verify the volume
• Encryption using PVC annotations
  • Step 1: Create a Storage Class
  • Step 2: Create a PVC with annotation

Note:
Supported from PX Enterprise 1.4 onwards

There are two ways in which Portworx volumes can be encrypted and are dependent on how a secret passphrase is provided to PX.

Encryption using Storage Class

In this method, PX will use the cluster wide secret key to encrypt PVCs.

Step 1: Set a cluster wide secret

Follow this guide to setup cluster wide secret key.

Step 2: Create a StorageClass

Create a storage class with secure parameter set to true.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
  secure: "true"
  repl: "3"

To create a shared encrypted volume set the shared parameter to true as well.

Step 3: Create Persistent Volume Claim

Create a PVC that uses the above px-secure-sc storage class.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: secure-pvc
spec:
  storageClassName: px-secure-sc
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi

Step 4: Verify the volume

Once the PVC has been created, verify the volume created in Portworx is encrypted.

# PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
# kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list
ID                 NAME                                      ...  ENCRYPTED  ...
10852605918962284  pvc-5a885584-44ca-11e8-a17b-080027ee1df7  ...  yes        ...

Encryption using PVC annotations

In this method, each PVC can be encrypted with its own secret key.

Step 1: Create a Storage Class

Create a storage class with secure parameter set to true.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: px-secure-sc
provisioner: kubernetes.io/portworx-volume
parameters:
  secure: "true"
  repl: "3"

To create a shared encrypted volume set the shared parameter to true as well.

Step 2: Create a PVC with annotation

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: secure-mysql-pvc
  annotations:
    px/secret-name: your-secret-key
spec:
  storageClassName: portworx-sc
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi

Important: Make sure secret your_secret_key was generated using the pxctl AWS KMS helper commands