Data encryption options

Encryption lets you encode your data to make it impossible to read without the required encryption keys. This mechanism protects the confidentiality of your data in the event of a physical security breach that results in a physical media to escape your custody. The per-PV encryption also provides access protection from other namespaces inside the same OpenShift Container Platform cluster. Data is encrypted when it is written to the disk, and decrypted when it is read from the disk. Working with encrypted data might incur a small penalty to performance.

Encryption is only supported for new clusters deployed using IBM Fusion Data Foundation 4.12 or higher. An existing encrypted cluster that is not using an external Key Management System (KMS) cannot be migrated to use an external KMS.

Previously, HashiCorp Vault was the only supported KMS for Cluster-wide and Persistent Volume encryption. Fusion Data Foundation now supports HashiCorp Vault KV secret engine API, versions 1 and 2.

Important:

KMS is required for Storage Class encryption, and is optional for cluster-wide encryption.
To start with, Storage class encryption requires a valid IBM Fusion Data Foundation subscription.

IBM works with the technology partners to provide this documentation as a service to the customers. However, IBM does not provide support for the Hashicorp product. For technical assistance with this product, contact Hashicorp.