Encrypting volumes on Kubernetes

Difficulty: Intermediate

Estimated Time: 10 minutes

Portworx is a software defined persistent storage solution designed and purpose built for applications deployed as containers, via container orchestrators such as Kubernetes, Marathon and Swarm. It is a clustered block storage solution and provides a Cloud-Native layer from which containerized stateful applications programmatically consume block, file and object storage services directly through the scheduler.

In this tutorial, you will learn how to create encrypted volumes using Portworx.

How to set a cluster wide secret key
Use the Portworx Storage Class encrypt all volumes created from this SC
Use the Portworx PVC for per-volume encryption
How to validate data is encrypted

High Level Overview

First we will validate that we can use Kubernetes secrets to store our keys. Then we will create a cluster wide secret key. Next we will deploy Postgres to validate our encrypted volumes are being created. Finally we will do the same but with per volume encryption.

You can read about secure StorageClasses here: Encryption using StorageClass You can read about secure PVCs here: Encryption using PVC

Other things you should know

To learn more about Portworx:

This scenario assumes you have already covered the following scenarios:

Thank you for trying the encryption tutorial. To view all our scenarios, go here

To learn more about Portworx, below are some useful references.

Your environment is currently being packaged as a Docker container and the download will begin shortly. To run the image locally, once Docker has been installed, use the commands

cat scrapbook_grdnrio_pwx-vol-encryption_container.tar | docker load

docker run -it /grdnrio_pwx-vol-encryption:

Restart Scenario

Next Scenario

Step 1 of 6

Wait for Kubernetes & Portworx to be ready

First we need to wait for Kubernetes and Portworx to be ready. Be patient, this is not a very high performance environment, just a place to learn something :-

Step: Wait for Kubernetes to be ready

Click the below section which waits for all Kubernetes nodes to be ready.

watch kubectl get nodes

When all 4 nodes show status Running then hit clear to ctrl-c and clear the screen.

Step: Wait for Portworx to be ready

Watch the Portworx pods and wait for them to be ready on all the nodes. This can take a few minutes since it involves pulling multiple docker images. You will see 'No resources found' until all images are pulled.

watch kubectl get pods -n kube-system -l name=portworx -o wide

When all the pods show STATUS Running and READY 1/1 then hit clear to ctrl-c and clear the screen.

Now that we have the Portworx cluster up, let's proceed to the next step !

Validate Kubernetes Secrets

Portworx needs a secrets backend to store the keys that will be used when encrypting volumes. In this example we'll be using Kubernetes Secrets. This is beneficial because it respects namespaces allowing you to do per-tenant encryption and key management. This is great for multi-tenant or service provider use cases.

It is worth noting that you can use a wide range of secret stores such as Hashicorp Vault, Docker Secrets, DCOS Secrets and AWS KMS.

Step: Validate Kubernetes secrets.

To get started we need to make sure Portworx is configured to use Kubernetes secrets. Check to Portworx config file to confirm this.

ssh -o "StrictHostKeyChecking no" node01 cat /etc/pwx/config.json

You can see the secret_type is set to k8s.

Note: you can set the secrets endpoint you wish to use when installing Portworx.

Step: Create cluster wide key

A cluster wide secret key is a common key that points to a secret value/passphrase which can be used to encrypt all your volumes.

We're going to use kubectl to create a cluster wide secret in Kubernetes:

kubectl -n portworx create secret generic px-vol-encryption \
  --from-literal=cluster-wide-secret-key=Il0v3Portw0rX

Note that the cluster wide secret has to reside in the px-vol-encryption secret under the portworx namespace.

Confirm the secret exists

kubectl get secrets -n portworx | grep vol

Now you have to give Portworx the cluster wide secret key, that acts as the default encryption key for all volumes.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl secrets set-cluster-key \
  --secret cluster-wide-secret-key

Let's move on to creating a secure Storage Class.

Step 3

Now we have a cluster secret set we can use it to secure a StorageClass.

Step: Create a secure StorageClass

Let's create a new StorageClass. First take a look at the StorageClass yaml.

echo "$(cat px-secure-sc.yaml)"

You'll see we're using the secure: "true" parameter. This will ensure that this StorageClass will look for the default secret name px-vol-encryption and use this key to encrypt volumes from PVCs that use this StorageClass.

Now apply the spec to create the StorageClass.

kubectl apply -f px-secure-sc.yaml

Step: Create a PVC

We can now create a PVC that uses our secure StorageClass. Take a look at the PVC spec.

echo "$(cat px-secure-pvc.yaml)"

You'll notice that we're referencing our previously created secure StorageClass storageClassName: px-secure-sc. This ensures any volumes created will be encrypted.

Apply the PVC spec.

kubectl apply -f px-secure-pvc.yaml

Finally check the volume is encrypted.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list

Step 4

We've proven out cluster wide encryption applied to volumes via a StorageClass, but what if you have multiple teams, tenants or lines of business?

Encryption at Storage Class level does not allow using different secret keys for different PVCs. It also does not provide a way to disable encryption for certain PVCs that are using the same secure storage class. Encryption at PVC level will override the encryption options from Storage Class.

Let's take a look at per volume encryption.

Step: Create a 'normal' StorageClass

We're going to start by creating a StorageClass that does not use encryption.

Take a look at this SC.

echo "$(cat px-sc.yaml)"

You'll notice there is no secure parameter. Apply the spec now.

kubectl apply -f px-sc.yaml

Step: Create a new secret to be used with our PVC

In the previous section we used a cluster wide secret with the default secret name. Now we're going to create a custom secret.

kubectl -n portworx create secret generic volume-secrets \
  --from-literal=secure-pvc=SuperSecur3Key

Verify the secret exists.

kubectl get secrets -n portworx

Step 5

Now we can create our PVC.

Step: Creating a secure PVC

Take a look at the PVC spec.

echo "$(cat px-secure-pvc2.yaml)"

You'll notice a set of new parameters.

    px/secret-name: volume-secrets
    px/secret-namespace: portworx
    px/secret-key: mysql-pvc

Here we are specifying the secret name, the namespace the secret lives in (useful for multiple cluster tenants), and the secret key. These are the values we used in the previous step to create the secret.

You can apply the spec now to provision an encrypted volume.

kubectl apply -f px-secure-pvc2.yaml

If you take a look at the Portworx volume list you'll the new encrypted PVC.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list

Step 6

We have an encrypted PVC, which is great, but let's validate that we cannot access this encrypted volume directly.

Step: Validating a secure PVC

We're going to see if we can access the secure PVC directly from the host. We'll mount the Portworx volume directly on the host so we can see if it's possible access the data.

Start by setting the PVC name in an environment variable.

PX_VOL=$(kubectl get pvc -o jsonpath='{.items[1].spec.volumeName}')

The Portworx CLI gives us the ability to attach and mount a Portworx volume directly on the host. Let's see if we can do this with our encrypted volume.

ssh -o "StrictHostKeyChecking no" node01 pxctl host attach $PX_VOL

You will get the following error message.

attach: crypt_activate returned error with code -1

The volume cannot be attached as it is encrypted preventing access to the data.

Terminal

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Encrypting volumes on Kubernetes

High Level Overview

Other things you should know

Congratulations!

You've completed the scenario!

Scenario Rating

Steps