Portworx needs a secrets backend to store the keys that will be used when encrypting volumes. In this example we'll be using Kubernetes Secrets. This is beneficial because it respects namespaces allowing you to do per-tenant encryption and key management. This is great for multi-tenant or service provider use cases.

It is worth noting that you can use a wide range of secret stores such as Hashicorp Vault, Docker Secrets, DCOS Secrets and AWS KMS.

Step: Validate Kubernetes secrets.

To get started we need to make sure Portworx is configured to use Kubernetes secrets. Check to Portworx config file to confirm this.

ssh -o "StrictHostKeyChecking no" node01 cat /etc/pwx/config.json

You can see the secret_type is set to k8s.

Note: you can set the secrets endpoint you wish to use when installing Portworx.

Step: Create cluster wide key

A cluster wide secret key is a common key that points to a secret value/passphrase which can be used to encrypt all your volumes.

We're going to use kubectl to create a cluster wide secret in Kubernetes:

kubectl -n portworx create secret generic px-vol-encryption \
  --from-literal=cluster-wide-secret-key=Il0v3Portw0rX

Note that the cluster wide secret has to reside in the px-vol-encryption secret under the portworx namespace.

Confirm the secret exists

kubectl get secrets -n portworx | grep vol

Now you have to give Portworx the cluster wide secret key, that acts as the default encryption key for all volumes.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl secrets set-cluster-key \
  --secret cluster-wide-secret-key

Let's move on to creating a secure Storage Class.

Now we have a cluster secret set we can use it to secure a StorageClass.

Step: Create a secure StorageClass

Let's create a new StorageClass. First take a look at the StorageClass yaml.

echo "$(cat px-secure-sc.yaml)"

You'll see we're using the secure: "true" parameter. This will ensure that this StorageClass will look for the default secret name px-vol-encryption and use this key to encrypt volumes from PVCs that use this StorageClass.

Now apply the spec to create the StorageClass.

kubectl apply -f px-secure-sc.yaml

Step: Create a PVC

We can now create a PVC that uses our secure StorageClass. Take a look at the PVC spec.

echo "$(cat px-secure-pvc.yaml)"

You'll notice that we're referencing our previously created secure StorageClass storageClassName: px-secure-sc. This ensures any volumes created will be encrypted.

Apply the PVC spec.

kubectl apply -f px-secure-pvc.yaml

Finally check the volume is encrypted.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list

We've proven out cluster wide encryption applied to volumes via a StorageClass, but what if you have multiple teams, tenants or lines of business?

Encryption at Storage Class level does not allow using different secret keys for different PVCs. It also does not provide a way to disable encryption for certain PVCs that are using the same secure storage class. Encryption at PVC level will override the encryption options from Storage Class.

Let's take a look at per volume encryption.

Step: Create a 'normal' StorageClass

We're going to start by creating a StorageClass that does not use encryption.

Take a look at this SC.

echo "$(cat px-sc.yaml)"

You'll notice there is no secure parameter. Apply the spec now.

kubectl apply -f px-sc.yaml

Step: Create a new secret to be used with our PVC

In the previous section we used a cluster wide secret with the default secret name. Now we're going to create a custom secret.

kubectl -n portworx create secret generic volume-secrets \
  --from-literal=secure-pvc=SuperSecur3Key

Verify the secret exists.

kubectl get secrets -n portworx

Now we can create our PVC.

Step: Creating a secure PVC

Take a look at the PVC spec.

echo "$(cat px-secure-pvc2.yaml)"

You'll notice a set of new parameters.

    px/secret-name: volume-secrets
    px/secret-namespace: portworx
    px/secret-key: mysql-pvc

Here we are specifying the secret name, the namespace the secret lives in (useful for multiple cluster tenants), and the secret key. These are the values we used in the previous step to create the secret.

You can apply the spec now to provision an encrypted volume.

kubectl apply -f px-secure-pvc2.yaml

If you take a look at the Portworx volume list you'll the new encrypted PVC.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list

We have an encrypted PVC, which is great, but let's validate that we cannot access this encrypted volume directly.

Step: Validating a secure PVC

We're going to see if we can access the secure PVC directly from the host. We'll mount the Portworx volume directly on the host so we can see if it's possible access the data.

Start by setting the PVC name in an environment variable.

PX_VOL=$(kubectl get pvc -o jsonpath='{.items[1].spec.volumeName}')

The Portworx CLI gives us the ability to attach and mount a Portworx volume directly on the host. Let's see if we can do this with our encrypted volume.

ssh -o "StrictHostKeyChecking no" node01 pxctl host attach $PX_VOL

You will get the following error message.

attach: crypt_activate returned error with code -1

The volume cannot be attached as it is encrypted preventing access to the data.