December 14, 2017 By jason-mcalpin 2 min read

Encrypted Workers in the IBM Cloud Container Service

The IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experiences, and built-in security and isolation. You can rapidly deliver your apps while leveraging IBM Cloud services like artificial intelligence with Watson.

Today, we are proud to announce that we are turning on encryption of worker nodes by default. Many internal teams and external customers asked us for encrypted data volumes on worker nodes, and we listened to you!

What this means for you

As of today, this change makes your data in new clusters and workers that you create even more secure by default.

IBM Cloud Container Service provides encrypted data partitions for all worker nodes by provisioning them with two local SSD partitions. The first boot partition is not encrypted, and the second partition mounted to /var/lib/docker is unlocked at boot time by using LUKS encryption keys. Each worker in each Kubernetes cluster has its own unique LUKS encryption key, managed by the IBM Cloud Container Service. At boot time, they are pulled securely and then discarded after the encrypted disk is unlocked.

You might find that some workloads with high-performance disk I/O requirements are impacted when encrypted. In some of our encrypted performance tests, we saw single-digit percentage disk I/O impact, but in most there was no impact. If you have performance-sensitive workloads, you might want to do benchmarks tests with both encryption-enabled and disabled to help you decide if you want to turn off encryption.

How to get started

From the IBM Cloud console GUI, encryption is already turned on for you. If you want to turn off encryption, clear the Encrypt local disk check box (see below) when you create a cluster or add a worker to an existing cluster.

From the CLI, to take advantage of default encryption, first update your plug-in with the following command:

bx plugin update container-service -r Bluemix

Now, encryption is turned on by default when you create a cluster or add a worker to an existing cluster! If you want to disable encryption, specify the --disable-disk-encrypt option when using the cluster-create or the worker-add commands.

Questions or comments?

Please join us on our public Slack channel at https://ibm-container-service.slack.com.

More from Announcements

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Consulting augments expertise with AWS Competencies: A win-win for clients 

3 min read - In today's dynamic economic landscape, businesses demand continuous innovation and speed of execution. At IBM Consulting®, our unwavering focus on partnerships and shared commitment to delivering enterprise-level solutions to mutual clients have been core to our success.   We are thrilled to announce that IBM® has recently gained five competencies from Amazon Web Services (AWS) in vital domains including Cloud Operations, Internet of Things (IoT), Life Sciences, Mainframe Modernization, and Telecommunications. With these credentials, IBM further establishes its position as a…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters