(Other Schedulers) Encrypt Portworx Volumes using AWS KMS
You can use one of the following methods to encrypt Portworx volumes with AWS KMS, depending on how you provide the secret password to Portworx:
- Encrypt volumes using per volume secrets
- Encrypt volumes using named secrets
- Encrypt volumes using a cluster-wide secret
Encrypt volumes using per volume secrets
Use per volume secrets to encrypt each volume with a different key. As a result, each volume uses its unique passphrase for encryption. Portworx relies on the AWS KMS APIs to generate a Data Encryption key.
Create a volume. Enter the
pxctl volume create
command specifying the--secure
flag with the name of your encrypted volume (this example usesenc_vol
):pxctl volume create --secure enc_vol
Docker users:
Enter the following command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secure=true,name=enc_vol
Enter the following command to attach and mount an encrypted volume:
docker run --rm -it -v secure=true,name=enc_vol:/mnt busybox
Encrypt volumes using named secrets
You can use a named secret to specify the secret Portworx uses to encrypt and decrypt your volumes.
You can not use named secrets to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.
List your named secrets by running the following command:
pxctl secrets aws list-secrets
Generate a new AWS KMS data key and associate it with a unique name. Enter the following
pxctl secrets aws generate-kms-data-key
command, specifying the--secret_id
flag with the name of the data key, which must be unique. This example usesmy-unique-secret
:pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
Create a new encrypted volume. Enter the
pxctl volume create
command, specifying the following arguments:--secure
--secret-key
with the name of your named secret (this example usesmy-unique-secret
)- The name of the encrypted volume (this example uses
enc_vol
)
pxctl volume create --secure --secret_key my-unique-secret enc_vol
Docker users: Use the following command to create an encrypted volume named
enc_vol
:docker volume create --volume-driver pxd secret_key=my-unique-secret,name=enc_vol
Attach your volume by entering the
pxctl host attach
command with the following arguments:- The name of your encrypted volume (this example uses
enc_vol
) - The
--secret-key
flag with thedefault
vaule
pxctl host attach enc_vol --secret_key default
Volume successfully attached at: /dev/mapper/pxd-enc822124500500459627
- The name of your encrypted volume (this example uses
Mount the volume by entering the
pxctl host mount
command with the following parameters:- The name of your encrypted volume (this example uses
enc_vol
) - The mount point (this example uses
mnt
)
pxctl host mount enc_vol /mnt
Volume enc_vol successfully mounted at /mnt
Docker users: To attach and mount an encrypted volume, enter the following command:
docker run --rm -it -v secure=true,secret_key=my-unique-secret,name=enc_vol:/mnt busybox
- The name of your encrypted volume (this example uses
Encrypt volumes using a cluster-wide secret
Set the default cluster-wide secret, and use it to encrypt your volumes.
Starting with version 2.1, cluster-wide secrets have been deprecated. However, any volume encrypted with a cluster-wide secret can still be used in newer versions of Portworx.
You can use the following procedure to create new encrypted volumes using your existing cluster-wide secret:
Generate a new AWS KMS data key and associate it with a unique name. Enter the following
pxctl secrets aws generate-kms-data-key
command, specifying the--secret_id
flag with the name of the data key, which must be unique (this example usesmy-unique-secret
):pxctl secrets aws generate-kms-data-key --secret_id my-unique-secret
Enter the
pxctl secrets set-cluster-key
command, specifying the name of your new KMS data key (this example usesmy-unique-secret
):pxctl secrets set-cluster-key my-unique-secret
Create a new volume by following the steps in the Encrypt volumes using named secrets section.
You can not use a cluster-wide secret to create a cloud backup of an encrypted volume or to migrate encrypted volumes between two different Portworx clusters.