AWS KMS
Portworx can integrate with AWS KMS to generate and use KMS Datakeys. This document will show you how to spin up a Portworx cluster which is connected to an AWS KMS endpoint. The data keys created in KMS can be used to encrypt Portworx volumes.
This feature is supported from Portworx Enterprise 1.4 onwards.
Configuring AWS KMS with Portworx
There are multiple ways in which you can setup Portworx so that it gets authenticated with AWS.
Following are the authentication details required by Portworx to use the AWS KMS service:
AWS Access Key [AWS_ACCESS_KEY_ID] [required]
AWS Access Key ID of the account which has permissions to access KMS APIs
AWS Secret Key [AWS_SECRET_ACCESS_KEY] [required]
AWS Secret Access Key of the account which has permissions to access KMS APIs
AWS Secret Token Key [AWS_SECRET_TOKEN_KEY] [optional]
AWS Secret Token Key (if configured) of the account which has permissions to access KMS APIs
AWS KMS key [AWS_CMK] [required]
AWS KMS key. The CMK can be found out from AWS's resource ARN. Here is an example ARN for CMK:
arn:aws:kms:us-east-1::key/<cmk-id>
It specifies that the ARN is for the
kms
service forus-east-1
region. The trailing ID at the end of ARN is the actual CMK that needs to be provided to Portworx through theAWS_CMK
field.AWS Region of the CMK [AWS_REGION] [required]
The AWS region to which the CMK is associated to. CMKs are region specific and cannot be used across regions.
Using AWS environment variables
Portworx can authenticate with AWS using AWS SDK’s EnvProvider.
Each of the above fields can be provided as is to Portworx as environment variables.
Kubernetes users
If you are installing Portworx on Kubernetes, when generating the Portworx Kubernetes spec file on the Portworx Spec Generator page in Portworx Central:
Pass in all the above variables as is in the Environment Variables section.
Specify the
Secret Store Type
in the Advanced Settings section asaws
More help on generating the Portworx spec for Kubernetes is available here.
Other users
During installation,
- Use argument
-secret_type aws-kms
when starting Portworx to specify the secret type as AWS KMS. - Use
-e
argument to expose the AWS KMS environment variables
Using AWS EC2 Role Credentials
Portworx can authenticate with AWS using AWS SDK’s EC2RoleCredentials Provider. Follow these instructions to create an EC2 role. Make sure you provide the following access to KMS in your policy associated with EC2 role.
Here is a sample AWS Policy that gives access to KMS:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490047200000",
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms:us-east-1:<aws-id>:key/<key-id>"
]
}
]
}
Apply EC2 role to all the AWS instances where Portworx will be running.
Along with the EC2 role you will still need to provide AWS_CMK
and AWS_REGION
either through config.json
or as environment variables. To provide them through config.json
, add the following section to the config.json
on all the nodes
cat /etc/pwx/config.json
{
"clusterid": "<cluster-id>",
"secret": {
"secret_type": "aws-kms",
"aws": {
"AWS_CMK": "your-aws-kms-key-id",
"AWS_REGION": "you-aws-region-to-which-this-cmk-belongs"
},
}
...
}
Using AWS KMS with Portworx
To use AWS KMS with Portworx, proceed to one of the below sections.
📄️ Encrypting Kubernetes PVCs with AWS KMS
Instructions on using AWS KMS with Portworx for encrypting PVCs
📄️ (Other Schedulers) Encrypt Portworx Volumes using AWS KMS
Instructions on using AWS KMS with Portworx for encrypting Portworx Volumes