Setting up volumes for contracts (Optional)

Edit online

You can set up encrypted persistent block volumes for your contract to provide secure storage for workloads running inside the IBM Confidential Computing Containers pod. This feature is optional and requires setting up storage infrastructure and configuring volume resources before they can be used in your contract.

About setting up volumes

Setting up volumes for contracts involves preparing your storage infrastructure and configuring encrypted persistent block storage that can be attached to your confidential containers. This storage is encrypted using seeds provided by both the Solution Provider (workload seed) and the Data Owner (data seed), ensuring that data remains secure and accessible only within the trusted execution environment.

Key characteristics of volumes in contracts:

  • Volumes use persistent block storage provisioned through a storage operator (for example, Red Hat OpenShift Data Foundation (ODF) or Fusion Data Foundation (FDF)).
  • Each volume is encrypted using a unique seed derived from both workload and environment inputs. These are combined into a single seed that must be preserved to ensure data persistence across pod restarts.
  • Volumes support multiple filesystem types including ext4 and xfs.
  • Multiple volumes can be attached to a single container or across multiple containers.
  • Loss of encryption seeds results in permanent data loss.

Prerequisites

  • A storage operator (for example, Red Hat OpenShift Data Foundation (ODF) or Fusion Data Foundation (FDF)) is installed and configured in your OpenShift cluster.
  • A storage cluster is created and managed by the storage operator.
  • A storage class for block volumes is available (for example, ocs-storagecluster-odf-ceph-rbd for ODF or ocs-storagecluster-ceph-rbd for FDF).
  • You have the necessary permissions to create PersistentVolumeClaims in your namespace.
Note: For production use cases, it is recommended to use dedicated secondary block storage devices (such as IBM DASD devices) for OpenShift compute nodes and enterprise storage with high availability and disaster recovery capabilities.

Setup workflow overview

Setting up volumes for contracts requires coordinated actions from multiple personas:

  1. Environment Operator: Sets up the storage operator and storage cluster, then shares the storage class name with the Data Owner.
  2. Data Owner: Creates PersistentVolumeClaims (PVCs) and defines device names, then shares PVC details with the Solution Provider.
  3. Solution Provider: Adds volume configuration to the workload section with mount points, filesystem types, and workload seeds.
  4. Data Owner: Adds volume configuration to the environment section with data seeds.
  5. Auditor: Signs the contract including volume configurations.
  6. Data Owner: Deploys the pod with volume attachments.