IBM Cloud Docs
Understanding encryption for Portworx

Understanding encryption for Portworx

Encryption overview

The following image illustrates the encryption workflow in Portworx when you set up per-volume encryption.

Encrypting Portworx volumes
Encrypting Portworx volumes

  1. The user creates a PVC with a Portworx storage class and requests the storage to be encrypted.
  2. Portworx invokes the IBM Key Protect or Hyper Protect Crypto Services API WrapCreateDEK to create a passphrase by using the customer root key (CRK) that is stored in the Portworx secret.
  3. The IBM Key Protect or Hyper Protect Crypto Services service instance generates a 256-bit passphrase and wraps the passphrase in the DEK. The DEK is returned to the Portworx cluster.
  4. The Portworx cluster uses the passphrase to encrypt the volume.
  5. The Portworx cluster stores the DEK in plain text in the Portworx etcd database, associates the volume ID with the DEK, and removes the passphrase from its memory.

Decryption overview

The following image illustrates the decryption workflow in Portworx when you set up per-volume encryption.

Decrypting Portworx volumes
Decrypting Portworx volumes

  1. Kubernetes sends a request to decrypt an encrypted volume.
  2. Portworx requests the DEK for the volume from the Portworx etcd database.
  3. The Portworx etcd looks up the DEK and returns the DEK to the Portworx cluster.
  4. The Portworx cluster calls the IBM Key Protect or Hyper Protect Crypto Services API UnWrapDEK by providing the DEK and the root key (CRK) that is stored in the Portworx secret.
  5. IBM Key Protect or Hyper Protect Crypto Services unwraps the DEK to extract the passphrase and returns the passphrase to the Portworx cluster.
  6. The Portworx cluster uses the passphrase to decrypt the volume. After the volume is decrypted, the passphrase is removed from the Portworx cluster.

Setting up volume encryption

To protect your data in a Portworx volume, you can create an instance of a KMS provider such as IBM Key Protect or Hyper Protect Crypto Services.

If you don't want to use IBM Key Protect or Hyper Protect Crypto Services root keys to encrypt your volumes, you can select Kubernetes Secret as your Portworx secret store type during the Portworx installation. This setting gives you the option to store your own custom encryption key in a Kubernetes secret after you install Portworx. For more information, see the Portworx documentation.

Getting your KMS instance and credentials

Setting up volume encryption with Hyper Protect Crypto Services

  1. Create a service instance.

  2. Create a root key.

  3. Create a service ID.

  4. Private clusters: Create a virtual private endpoint gateway that allows access to your KMS instance. Make sure to bind at least 1 IP address from each subnet in your VPC to the VPE.

  5. Retrieve the Key Management public endpoint URL. Make sure that you note your endpoint in the correct format; for example, https://api.us-south.hs-crypto.cloud.ibm.com:<port>. For more information, see the Hyper Protect Crypto Services API documentation.

Setting up volume encryption with IBM Key Protect

  1. Create a service instance.

  2. Create a root key.

  3. Create a service ID.

  4. Retrieve the region where you created your service instance and make a note. You need this value later when you create your secret.

  5. Private clusters: Create a virtual private endpoint gateway that allows access to your KMS instance. Make sure to bind at least 1 IP address from each subnet in your VPC to the VPE.

Creating a secret in your cluster

  1. Encode the credentials that you retrieved in the previous section to base64 and note all the base64 encoded values. Repeat this command for each parameter to retrieve the base64 encoded value.
    echo -n "<value>" | base64
    
  2. Create a namespace in your cluster called portworx.
    kubectl create ns portworx
    
  3. Create a Kubernetes secret named px-ibm in the portworx namespace of your cluster to store your IBM Key Protect information.
    1. Create a configuration file for your Kubernetes secret with the following content.

      apiVersion: v1
      kind: Secret
      metadata:
        name: px-ibm
        namespace: portworx
      type: Opaque
      data:
        IBM_SERVICE_API_KEY: <base64_apikey>
        IBM_INSTANCE_ID: <base64_guid>
        IBM_CUSTOMER_ROOT_KEY: <base64_rootkey>
        IBM_BASE_URL: <base64_endpoint>
      
      metadata.name
      Enter px-ibm as the name for your Kubernetes secret. If you use a different name, Portworx does not recognize the secret during installation.
      data.IBM_SERVICE_API_KEY
      Enter the base64 encoded IBM Key Protect or Hyper Protect Crypto Services API key that you retrieved earlier.
      data.IBM_INSTANCE_ID
      Enter the base64 encoded service instance GUID that you retrieved earlier.
      data.IBM_CUSTOMER_ROOT_KEY
      Enter the base64 encoded root key that you retrieved earlier.
      data.IBM_BASE_URL
      IBM Key Protect: Enter the base64 encoded API endpoint of your service instance.
      Hyper Protect Crypto Services: Enter the base64 encoded Key Management public endpoint.
    2. Create the secret in the portworx namespace of your cluster.

      kubectl apply -f secret.yaml
      
    3. Verify that the secret is created successfully.

      kubectl get secrets -n portworx