Compute Infrastructure

Encrypted Workers in the IBM Cloud Container Service

Share this post:

The IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experiences, and built-in security and isolation. You can rapidly deliver your apps while leveraging IBM Cloud services like artificial intelligence with Watson.

Today, we are proud to announce that we are turning on encryption of worker nodes by default. Many internal teams and external customers asked us for encrypted data volumes on worker nodes, and we listened to you!

What this means for you

As of today, this change makes your data in new clusters and workers that you create even more secure by default.

IBM Cloud Container Service provides encrypted data partitions for all worker nodes by provisioning them with two local SSD partitions. The first boot partition is not encrypted, and the second partition mounted to /var/lib/docker is unlocked at boot time by using LUKS encryption keys. Each worker in each Kubernetes cluster has its own unique LUKS encryption key, managed by the IBM Cloud Container Service. At boot time, they are pulled securely and then discarded after the encrypted disk is unlocked.

You might find that some workloads with high-performance disk I/O requirements are impacted when encrypted. In some of our encrypted performance tests, we saw single-digit percentage disk I/O impact, but in most there was no impact. If you have performance-sensitive workloads, you might want to do benchmarks tests with both encryption-enabled and disabled to help you decide if you want to turn off encryption.

How to get started

From the IBM Cloud console GUI, encryption is already turned on for you. If you want to turn off encryption, clear the Encrypt local disk check box (see below) when you create a cluster or add a worker to an existing cluster.

From the CLI, to take advantage of default encryption, first update your plug-in with the following command:

bx plugin update container-service -r Bluemix

Now, encryption is turned on by default when you create a cluster or add a worker to an existing cluster! If you want to disable encryption, specify the --disable-disk-encrypt option when using the cluster-create or the worker-add commands.

Questions or comments?

Please join us on our public Slack channel at https://ibm-container-service.slack.com.

IBM Cloud Kubernetes Service - Core Dev Lead

More Compute Infrastructure stories
April 2, 2019

New, 2nd-Gen Intel® Xeon® Scalable Processors Now Available on IBM Cloud

The new, 2nd-Gen Intel® Xeon® Scalable Processors (formerly code-named "Cascade Lake") are finally here, and they are officially available in monthly IBM Cloud bare metal servers in IBM Cloud data centers around the globe.

Continue reading

April 1, 2019

IBM Cloud Foundry Enterprise Environment Now Offers a Tech Preview of Project Eirini

Some of the leading cloud vendors—including IBM, SUSE, SAP, Google, and Pivotal—are all working together on a Cloud Foundry project called Project Eirini that endeavors to combine the benefits of Cloud Foundry and Kubernetes.

Continue reading

April 1, 2019

Now Taking Reservations for Bare Metal on IBM Cloud

We’re pleased to announce the release of IBM Cloud Reserved Bare Metal Servers, which allow you to reserve up to 20 servers at a time, in a specific data center location, and claim that capacity any time you need it for advanced planning needs or crucial times.

Continue reading