December 14, 2017 By Jeff Sloyer 2 min read

Encrypted Workers in the IBM Cloud Container Service

The IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experiences, and built-in security and isolation. You can rapidly deliver your apps while leveraging IBM Cloud services like artificial intelligence with Watson.

Today, we are proud to announce that we are turning on encryption of worker nodes by default. Many internal teams and external customers asked us for encrypted data volumes on worker nodes, and we listened to you!

What this means for you

As of today, this change makes your data in new clusters and workers that you create even more secure by default.

IBM Cloud Container Service provides encrypted data partitions for all worker nodes by provisioning them with two local SSD partitions. The first boot partition is not encrypted, and the second partition mounted to /var/lib/docker is unlocked at boot time by using LUKS encryption keys. Each worker in each Kubernetes cluster has its own unique LUKS encryption key, managed by the IBM Cloud Container Service. At boot time, they are pulled securely and then discarded after the encrypted disk is unlocked.

You might find that some workloads with high-performance disk I/O requirements are impacted when encrypted. In some of our encrypted performance tests, we saw single-digit percentage disk I/O impact, but in most there was no impact. If you have performance-sensitive workloads, you might want to do benchmarks tests with both encryption-enabled and disabled to help you decide if you want to turn off encryption.

How to get started

From the IBM Cloud console GUI, encryption is already turned on for you. If you want to turn off encryption, clear the Encrypt local disk check box (see below) when you create a cluster or add a worker to an existing cluster.

From the CLI, to take advantage of default encryption, first update your plug-in with the following command:

bx plugin update container-service -r Bluemix

Now, encryption is turned on by default when you create a cluster or add a worker to an existing cluster! If you want to disable encryption, specify the --disable-disk-encrypt option when using the cluster-create or the worker-add commands.

Questions or comments?

Please join us on our public Slack channel at https://ibm-container-service.slack.com.

More from

Advance your enterprise Journey to Hybrid Cloud and AI powered by AIOps on Z

2 min read - Thanks to rising costs, skills shortages and ever-growing security threats, businesses must adapt quickly to shifts in demand patterns brought on by a digital workforce and rapidly changing buyer behavior. That requires putting extra emphasis on the resiliency and performance of your business processes and supporting applications. For larger IT organizations with increasingly hybrid and complex application landscapes that often include IBM Z®, it’s essential to take a comprehensive approach to IT operations. The challenge becomes “How do you effectively sift through terabytes of…

IBM API Connect named a leader in the Forrester Wave: API Management Software, Q3 2024

4 min read - We are excited to announce that Forrester has recognized IBM API Connect® as a Leader in The Forrester Wave™: API Management Software, Q3 20241. Forrester conducted a 24-criteria evaluation of API management software providers to make their assessment and final results. IBM API Connect received the highest score possible in 17 out of the 24 criteria. [button link="https://www.ibm.com/account/reg/us-en/signup?formid=urx-52934"]Download a complimentary copy of the report here[/button] IBM: What to look for when shopping for API Management Software Transformation and integration initiatives…

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters