Encrypted volumes using pxctl
This guide will give you an overview of how to use the encryption feature for Portworx volumes. Under the hood, Portworx uses the
libgcrypt library to interface with the
dm-crypt module for creating, accessing and managing encrypted devices. Portworx uses the
LUKS format of
AES-256 as the cipher with
xts-plain64 as the cipher mode.
All encrypted volumes are protected by a passphrase. Portworx uses this passphrase to encrypt the volume data at rest as well as in transit. It is recommended to store these passphrases in a secure secret store.
There are two ways in which you can provide the passphrase to Portworx:
1. Per volume secret: Use a unique secret for each encrypted volume
2. Cluster-wide secret: Use a default common secret for all encrypted volumes
To know more about the supported secret providers and how to configure them with Portworx, refer to the Setup Secrets Provider page.
Creating and using encrypted volumes
Using a cluster-wide secret key
A cluster-wide secret key is basically a key-value pair where the value part is the secret that Portworx uses as a passphrase to encrypt all your volumes.
Let’s look at an example where we want to create and mount an encrypted volume that uses a cluster-wide secret key:
The first step is to create a new volume. Let’s make it encrypted with the
/opt/pwx/bin/pxctl volume create --secure --size 10 encrypted_volume
Volume successfully created: 822124500500459627
Just to make sure our new encrypted volume was created, try running the following command:
pxctl volume list
ID NAME SIZE HA SHARED ENCRYPTED IO_PRIORITY SCALE STATUS 822124500500459627 encrypted_volume 10 GiB 1 no yes LOW 1 up - detached
Next, you can attach the volume:
pxctl host attach encrypted_volume
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
We’re almost done. Let’s mount the volume by running the following command:
pxctl host mount encrypted_volume /mnt
Volume encrypted_volume successfully mounted at /mnt
So, if a cluster-wide secret key is set, Portworx will use it as the default key for encryption. In the next section, you will learn how to specify per volume keys.
Using per volume secret keys
As mentioned, you can encrypt volumes using unique keys instead of the cluster-wide secret key. However, you are required to specify the key every time you create or attach a new volume.
Let’s look at a simple example. First, we’ll run
pxctl volume create with the
--secret_key flag like this:
pxctl volume create --secure --secret_key key1 enc_vol
Volume successfully created: 374663852714325215
Next, mount the
enc_vol volume into the
mnt directory as follows:
docker run --rm -it -v secret_key=key1,name=enc_vol:/mnt
You can get the same result by typing:
docker run --rm -it --mount src=secret_key=key1,name=enc_vol,dst=/mnt
key1exists in the secret endpoint.
Encrypted Shared Volumes
With Portworx, you can create encrypted shared volumes that can be accessed from multiple nodes.
--shared flag is used to indicate that we would want to share an encrypted volume:
pxctl volume create --shared --secure --size 10 encrypted_volume
Encrypted Shared volume successfully created: 77957787758406722
Try inspecting our new volume:
pxctl volume inspect encrypted_volume
Volume : 77957787758406722 Name : encrypted_volume Size : 10 GiB Format : ext4 HA : 1 IO Priority : LOW Creation time : Nov 1 17:22:59 UTC 2018 Shared : yes Status : up State : detached Attributes : encrypted Reads : 0 Reads MS : 0 Bytes Read : 0 Writes : 0 Writes MS : 0 Bytes Written : 0 IOs in progress : 0 Bytes used : 131 MiB Replica sets on nodes: Set 0 Node : 126.96.36.199 (Pool 0) Replication Status : Detached
You can enable or disable sharing during runtime by passing the
--shared on/off flag.
Note that volumes must be detached to toggle the
shared flag during run-time.
The Portworx cluster must be authenticated to access the secret store for the encryption keys.