(Other Schedulers) Encrypting Portworx Volumes using AWS KMS


Portworx Encrypted Volumes

This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the libgcrypt library to interface with the dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.

All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.

There are two ways in which you can provide the passphrase to Portworx:

1. Per volume secret: Use a unique secret for each encrypted volume

2. Cluster-wide secret: Use a default common secret for all encrypted volumes

Portworx has two different kinds of encrypted volumes:

  • Encrypted Volumes

Encrypted volumes are regular volumes which can be accessed from only one node.

  • Encrypted Shared Volumes

Encrypted shared volume allows access to the same encrypted volume from multiple nodes.

Creating and using encrypted volumes

Using per volume secret keys

In this method, each volume will use its own unique passphrase for encryption. Portworx relies on the AWS KMS APIs to generate a Data Encryption Key. This key will then be used to encrypt and decrypt your volumes.

To create a volume through pxctl, run the following command:

pxctl volume create --secure  enc_vol

To create a volume through docker, run the following command:

docker volume create --volume-driver pxd secure=true,name=enc_vol

To attach and mount an encrypted volume through docker, run the following command:

docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox

Note that no secret_key argument needs to be passed in any of the commands.

Using named secret keys

In this method, you will create an AWS Data Key and assign it a unique name. This data key will then be used for encrypting volumes.

This method for encrypting volumes is not supported when you want to take a cloud backup of an encrypted volume or migrate encrypted volumes between two different Portworx clusters.

Step1: Create a Named Secret

Use the following CLI command to generate AWS KMS Data keys. Portworx associates each KMS Data Key with a unique name provided through the --secret_id argument.

To generate a new KMS Data Key, run the following command:

pxctl secrets aws generate-kms-data-key --secret_id mysecret

The above command generates an AWS KMS Data Key and associates it with the name mysecret. To use this Data Key for encrypting volumes provide only the secret ID mysecret to Portworx while creating/attaching the volume.

To list all the named secrets, use the following command:

pxctl secrets aws list-secrets

Step2: Use the Named Secrets for encrypting volumes

To create a volume using a named secret through pxctl, run the following command

pxctl volume create --secure --secret_key mysecret enc_vol

To create a volume using a named secret through docker, run the following command

docker volume create --volume-driver pxd secret_key=mysecret,name=enc_vol

To attach and mount the same encrypted volume through docker, run the following command

docker run --rm -it -v secure=true,secret_key=mysecret,name=enc_vol:/mnt busybox

Using cluster-wide secret key

From Portworx version 2.1 support for cluster-wide secrets has been deprecated. If you have volumes (using cluster-wide secret) that were created using older Portworx versions, those volumes will still seamlessly work with newer Portworx versions.

However, if you wish to use your previous cluster-wide secret, then you will need to pass its name as shown in the previous Named secrets section.

For example,

Lets say your generated KMS data key was called portworx_secret and you had set it as a your cluster-wide secret using the command pxctl secrets set-cluster-key portworx_secret.

To create new volumes using that same secret you will need to follow the previous Named secret section and provide the name portworx_secret as show above.

Again, existing volumes created with cluster wide, will still work without providing portworx_secret.

NOTE: For newer volumes if you do not provide any secret key, they will use per volume encryption and will NOT default to using cluster wide secret
This method for encrypting volumes is not supported when you want to take a cloud backup of an encrypted volume or migrate encrypted volumes between two different Portworx clusters.

Last edited: Wednesday, Apr 8, 2020