Data Encryption

Explore this Page

Overview

DataCore Puls8 offers support for data-at-rest encryption to help ensure the confidentiality of persistent data stored on disk. With this capability, any disk pool configured with a user-defined encryption key can host encrypted volume replicas. This feature is particularly beneficial in environments requiring compliance with regulatory or security standards.

This document provides a structured approach for enabling and using encryption in Replicated PV Mayastor, including how to configure the necessary Kubernetes resources and validate encrypted deployments.

Requirements

Before enabling volume encryption via a StorageClass, ensure the following is configured:

Create a Kubernetes Secret with an AES-XTS Key

Define a Kubernetes Secret containing the encryption key material. Replicated PV Mayastor supports the AES-XTS cipher, which requires two 128-bit hex-encoded keys.

Copy
Sample Kubernetes Secret with AES-XTS Encryption Keys
apiVersion: v1
kind: Secret
metadata:
  name: pool-encr-secret
  namespace: puls8
type: Opaque
immutable: true
stringData:
  encryption_parameters: |
    {
      "cipher": "AesXts",
      "key": "2b7e151628aed2a6abf7158809cf4f3c",
      "key_len": 128,
      "key2": "2b7e151628aed2a6abf7158809cf4f3d",
      "key2_len": 128
    }

You may optionally use Kubernetes resource encryption to protect this secret. Refer to the Kubernetes - Encrypting Confidential Data at Rest Documentation for more information.

Configure the DiskPool with the Encryption Secret

The DiskPool custom resource must reference the encryption secret. This ensures all replicas stored on that disk pool are encrypted.

Copy
DiskPool Configuration Referencing the Encryption Secret
apiVersion: "openebs.io/v1beta3"
kind: DiskPool
metadata:
  name: <POOL_NAME>
  namespace: puls8
spec:
  node: <NODE_NAME>
  disks: ["/dev/disk/by-id/<DEVICE_NAME>"]
  encryptionConfig:
    source:
      secret:
        name: pool-encr-secret

Configure the StorageClass for Encrypted Volumes

To provision encrypted volumes, set the encrypted parameter to "true" in the StorageClass definition. Volumes will be created only if the required number of encrypted pools (based on the replication factor) is available.

Copy
StorageClass Configuration to Enable Encrypted Volume Provisioning
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: mayastor-2-encr
parameters:
  protocol: nvmf
  repl: "2"
  encrypted: "true"
provisioner: io.openebs.csi-mayastor
reclaimPolicy: Delete

Migration of Pools and Volumes from Non-Encrypted to Encrypted

Migrating existing, non-encrypted disk pools and volumes to an encrypted state requires careful planning. The ideal way to migrate or recreate existing non-encrypted pools as encrypted is to first create new encrypted pools in the cluster, provided there are available disks and sufficient capacity on the nodes. This approach allows volume replicas to be moved to encrypted pools in a staggered manner.

The key idea behind the migration is to target a pool, move its replicas elsewhere, and once the pool is empty, destroy and recreate it as an encrypted pool. As there is currently no native support for draining replicas from a pool, this process must be orchestrated manually using node cordoning and volume scaling operations.

The following procedure outlines a recommended approach:

  1. Identify Target Pool: Determine the non-encrypted pool (Example: P1) to be migrated.
  2. List Associated Volumes: Identify volumes that have replicas currently residing on P1.
  3. Scale Up Volumes (Optional but Recommended): Temporarily scale up the volumes (Example: From 2 to 3 replicas) to ensure redundancy during the transition.
  4. Cordon the Node Hosting P1: Prevent new replicas from scheduling on the node where P1 exists by cordoning it.
  5. Update Volume Configuration: Modify the volumes to set the encrypted flag to true using the mayastor plugin set volume property command.
  6. Scale Down Volumes: Reduce the replica count to remove replicas from P1, since the node is cordoned, affected replicas will be evicted.
  7. Recreate Pool with Encryption: Delete the original non-encrypted P1 pool and recreate it with encryption enabled, referencing the appropriate secret.
  8. Scale Up Volumes Again: Increase the replica count. New replicas will now be provisioned on the encrypted P1.
  9. Adjust Replica Count Post-Migration: At this stage, volumes may temporarily run with three replicas. You may retain this configuration or scale back to two replicas by cordoning a different node that hosts a non-encrypted replica.

Throughout this process, monitor available disk capacity and pool health to avoid resource exhaustion or service interruption.

  • Ensure the Kubernetes Secret is created before applying the DiskPool configuration.
  • Key rotation is not currently supported. Plan and manage key usage accordingly.
  • Persistent device paths are required for disk pool creation. Retrieve these paths using the following command:
Copy
Retrieve Persistent Device Paths for Block Devices
kubectl mayastor get block-devices <node-id>
  • Migration from unencrypted to encrypted disk pools and volumes is a manual process, as described above.

Benefits of Data Encryption

  • Data Security: Prevents unauthorized access to data stored on disk, even if physical media is compromised.
  • Tenant Isolation: Strengthens separation of data between workloads in shared or multi-tenant clusters.
  • Transparent Operations: Encryption is handled at the infrastructure level, requiring no changes from application developers or users.

Learn More