(Other Schedulers) Encrypting Portworx Volumes using IBM Key Protect


Portworx Encrypted Volumes

This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the libgcrypt library to interface with the dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.

All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.

There are two ways in which you can provide the passphrase to Portworx:

1. Per volume secret: Use a unique secret for each encrypted volume

2. Cluster-wide secret: Use a default common secret for all encrypted volumes

Portworx has two different kinds of encrypted volumes:

  • Encrypted Volumes

Encrypted volumes are regular volumes which can be accessed from only one node.

  • Encrypted Shared Volumes

Encrypted shared volume allows access to the same encrypted volume from multiple nodes.

Creating and using encrypted volumes

Using per volume secret keys

There are two ways in which Portworx volumes can be encrypted and are dependent on how a secret passphrase is provided to PX. Portworx uses IBM Key Protect APIs to generate a unique 256 bit passphrase. This passphrase will be used during encryption and decryption.

To create a volume through pxctl, run the following command

pxctl volume create --secure  enc_vol
Volume successfully created: 374663852714325215

To create a volume through docker, run the following command

docker volume create --volume-driver pxd secure=true,name=enc_vol

To attach and mount an encrypted volume through docker, run the following command

docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox

Note that no secret_key needs to be passed in any of the commands.

Using cluster wide secret key

In this method a default cluster wide secret will be set for the Portworx cluster. Such a secret will be referenced by the user and Portworx as default secret. Any PVC request referencing the secret name as default will use this cluster wide secret as a passphrase to encrypt the volume.

To create a volume using a cluster wide secret through pxctl, run the following command

pxctl volume create --secure --secret_key default enc_vol
Volume successfully created: 374663852714325215

To create a volume using a cluster wide secret through docker, run the following command

docker volume create --volume-driver pxd secret_key=default,name=enc_vol

To attach and mount an encrypted volume through docker, run the following command

docker run --rm -it -v secure=true,secret_key=default,name=enc_vol:/mnt busybox

Note the secret_key is set to the value default to indicate PX to use the cluster-wide secret key

If you want to migrate encrypted volumes created through this method between two different Portworx clusters:

  1. Create a secret with the same name (–secret_id) using Portworx CLI
  2. Make sure you provide the same passphrase while generating the secret.


Last edited: Wednesday, Apr 8, 2020