(Other Schedulers) Encrypting Portworx Volumes using AWS KMS
Portworx Encrypted Volumes
This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the
libgcrypt library to interface with the
dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the
LUKS format of
AES-256 as the cipher with
xts-plain64 as the cipher mode.
All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.
There are two ways in which you can provide the passphrase to Portworx:
1. Per volume secret: Use a unique secret for each encrypted volume
2. Cluster-wide secret: Use a default common secret for all encrypted volumes
Portworx has two different kinds of encrypted volumes:
- Encrypted Volumes
Encrypted volumes are regular volumes which can be accessed from only one node.
- Encrypted Shared Volumes
Encrypted shared volume allows access to the same encrypted volume from multiple nodes.
Creating and using encrypted volumes
Using per volume secret keys
In this method, each volume will use its own unique passphrase for encryption. Portworx relies on the AWS KMS APIs to generate a Data Encryption Key. This key will then be used to encrypt and decrypt your volumes.
To create a volume through pxctl, run the following command:
pxctl volume create --secure enc_vol
To create a volume through docker, run the following command:
docker volume create --volume-driver pxd secure=true,name=enc_vol
To attach and mount an encrypted volume through docker, run the following command:
docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox
Note that no
secret_key argument needs to be passed in any of the commands.
Using named secret keys
In this method, you will create an AWS Data Key and assign it a unique name. This data key will then be used for encrypting volumes.
Step1: Create a Named Secret
Use the following CLI command to generate AWS KMS Data keys. Portworx associates each KMS Data Key with a unique name provided through the
To generate a new KMS Data Key, run the following command:
pxctl secrets aws generate-kms-data-key --secret_id mysecret
The above command generates an AWS KMS Data Key and associates it with the name
mysecret. To use this Data Key for encrypting volumes provide only the secret ID
mysecret to Portworx while creating/attaching the volume.
To list all the named secrets, use the following command:
pxctl secrets aws list-secrets
Step2: Use the Named Secrets for encrypting volumes
To create a volume using a named secret through pxctl, run the following command
pxctl volume create --secure --secret_key mysecret enc_vol
To create a volume using a named secret through docker, run the following command
docker volume create --volume-driver pxd secret_key=mysecret,name=enc_vol
To attach and mount the same encrypted volume through docker, run the following command
docker run --rm -it -v secure=true,secret_key=mysecret,name=enc_vol:/mnt busybox
Using cluster-wide secret key
From Portworx version 2.1 support for cluster-wide secrets has been deprecated. If you have volumes (using cluster-wide secret) that were created using older Portworx versions, those volumes will still seamlessly work with newer Portworx versions.
However, if you wish to use your previous cluster-wide secret, then you will need to pass its name as shown in the previous Named secrets section.
Lets say your generated KMS data key was called
portworx_secret and you had set it as a your cluster-wide secret using the command
pxctl secrets set-cluster-key portworx_secret.
To create new volumes using that same secret you will need to follow the previous Named secret section and provide the name
portworx_secret as show above.
Again, existing volumes created with cluster wide, will still work without providing