Encrypted Volumes
Volumes can be encrypted when they are created using the
storageos.com/encryption label
. The labels can be
passed to Ondat using PVCs or you can directly create volumes using the
Ondat CLI or GUI with the encryption label applied.
For more in depth discussion of how encryption works please see the Encryption concepts page.
Required labels
The storageos.com/encryption
label must be applied to the volume when it is
created. The encryption status of a volume cannot be changed after a volume has been
created.
You can pass the label using a PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc0002
labels:
"storageos.com/encryption": "true"
annotations:
volume.beta.kubernetes.io/storage-class: fast
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
You can also pass the encryption label when creating volumes using the CLI
$ storageos volume create encrypted-volume --label storageos.com/encryption=true
You can also add the encryption label when creating a volume with the GUI
Backing up Secrets
Ondat generates the cryptographic keys that are used to encrypt data (see Encryption for more details). The keys that are used to encrypt a volume are stored in a Kubernetes secret. As such, Ondat does not have access to the keys that are used to encrypt a volume and if the keys are lost the volume cannot be decrypted.
As a precautionary measure it is recommended that you backup the Kubernetes secrets used to store the encryption keys.
Ondat will create one secret per encrypted volume and the secrets are created in whatever namespace Ondat is installed into.
$ kubectl get secrets -n kube-system
NAME TYPE DATA AGE
ns-key.default Opaque 1 20h
vol-key.4276fc07-7d85-70bf-35a0-f0b005e55e0f Opaque 4 1m
In the output above there is a ns-key.default
and a vol-key.
A
ns-key
is created for each Ondat namespace in the formatns-key.{namespace}
. Avol-key
is created for every encrypted volume. The vol-keys are namedvol-key.{volume-id}
. The volume id can be retrieved by inspecting the volume.
# Find the PVC name
$ kubectl get pvc --show-labels
NAME STATUS VOLUME STORAGECLASS AGE LABELS
pvc0002 Bound pvc-1c68f013-40dd-11e9-91ad-0a57700a78b4 fast 10m storageos.com/encryption=true
# Inspect the volume and find the volume ID
$ storageos volume inspect default/pvc-1c68f013-40dd-11e9-91ad-0a57700a78b4 | grep -m1 id
"id": "4276fc07-7d85-70bf-35a0-f0b005e55e0f",
# Find the secret for PVC pvc0002
$ kubectl get secret vol-key.4276fc07-7d85-70bf-35a0-f0b005e55e0f
NAME TYPE DATA AGE
vol-key.4276fc07-7d85-70bf-35a0-f0b005e55e0f Opaque 4 12m
Ondat recommends that vol-key and ns-keys are backed up. This can be done by outputting the secrets as yaml and storing the resulting files securely. The example below will output the ns-key.default to a ns-key.default.yaml file.
$ kubectl get secret ns-key.default -o yaml > ns-key.default.yaml
The vol-key secret contains all the keys necessary to decrypt a volume so ensure that backups of the vol-keys are stored securely.
Restoring Secrets
In order to restore backed up secrets use kubectl to create them. The secrets have a namespace field in the file themselves so a namespace does not need to be specified.
$ kubectl create -f ns-key.default.yaml
Keys can be restored while Ondat is running and will be used dynamically by Ondat.