Creating a storage class for persistent volume encryption

Create a storage class for persistent volume (PV) encryption.

Before you begin

Based on your use case, ensure that you configure access to the key management system (KMS) for one of the following options:

Procedure

  1. In the Red Hat® OpenShift® Container Platform web console, go to Storage > StorageClasses.
  2. Enter the storage class Name and Description.
  3. Select either Delete or Retain for the Reclaim Policy.

    Delete is selected by default.

  4. Select either Immediate or WaitForConsumer for the Volume binding mode.

    WaitForConsumer is selected by default.

  5. Select RBD Provisioner openshift-storage.rbd.csi.ceph.com which is the plugin used for provisioning the persistent volumes.
  6. Select Storage Pool where the volume data is stored from the list or create a new pool.
  7. Select the Enable encryption checkbox.

    Choose one of the following options to set the KMS connection details:

    • Choose existing KMS connection: Select an existing KMS connection from the drop-down list. The list is populated from the connection details available in the csi-kms-connection-details ConfigMap.
      1. Select the Provider from the drop-down list.
      2. Select the Key service for the given provider from the list.
    • Create new KMS connection: This is applicable for vaulttokens and Thales CipherTrust Manager (using KMIP) only.

      1. Select one of the following Key Management Service Provider and provide the required details.

        • Vault
          1. Enter a unique Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Token.

          2. Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration:

            1. Enter the Key Value secret path in Backend Path that is dedicated and unique to Fusion Data Foundation.
            2. Optional: Enter TLS Server Name and Vault Enterprise Namespace.
            3. Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate, and Client Private Key.
            4. Click Save.
        • Thales CipherTrust Manager (using KMIP)
          1. Enter a unique Connection Name.
          2. In the Address and Port sections, enter the IP of Thales CipherTrust Manager and the port where the KMIP interface is enabled. For example, Address: 123.34.3.2, Port: 5696.
          3. Upload the Client Certificate, CA certificate, and Client Private Key.
          4. Enter the Unique Identifier for the key to be used for encryption and decryption, generated above.
          5. The TLS Server field is optional and used when there is no DNS entry for the KMIP endpoint. For example, kmip_all_<port>.ciphertrustmanager.local.

        • Azure Key Vault (Only for Azure users on Azure platform)

          For information about setting up client authentication and fetching the client credentials, see the Prerequisites in Creating an OpenShift Data Foundation cluster section of the Deploying OpenShift Data Foundation using Microsoft Azure guide.

          1. Enter a unique Connection name for the key management service within the project.
          2. Enter Azure Vault URL.
          3. Enter Client ID.
          4. Enter Tenant ID.
          5. Upload Certificate file in .PEM format and the certificate file must include a client certificate and a private key.
      2. Click Save.
      3. Click Create.
  8. Edit the ConfigMap to add the vaultBackend parameter if the HashiCorp Vault setup does not allow automatic detection of the Key/Value (KV) secret engine API version used by the backend path.
    Note: vaultBackend is an optional parameters that is added to the ConfigMap to specify the version of the KV secret engine API associated with the backend path. Ensure that the value matches the KV secret engine API version that is set for the backend path, otherwise it might result in a failure during persistent volume claim (PVC) creation.
    1. Identify the encryptionKMSID being used by the newly created storage class.
      1. From the Red Hat OpenShift Container Platform web console, go to Storage > Storage Classes.
      2. Click the storage class name and go to the YAML tab.
      3. Capture the encryptionKMSID being used by the storage class.
        For example: 
        encryptionKMSID: 1-vault
    2. Go to Workloads > ConfigMaps.
    3. View the KMS connection details, by clicking csi-kms-connection-details.
    4. Edit the ConfigMaps.
      1. Click Action menu > Edit ConfigMap.
      2. Add the vaultBackend parameter depending on the backend that is configured for the previously identified encryptionKMSID.

        You can assign kv for KV secret engine API, version 1 and kv-v2 for KV secret engine API, version 2.

        Example:
         kind: ConfigMap
 apiVersion: v1
 metadata:
   name: csi-kms-connection-details
 [...]
 data:
   1-vault: |-
     {
       "encryptionKMSType": "vaulttokens",
       "kmsServiceName": "1-vault",
       [...]
       "vaultBackend": "kv-v2"
     }
   2-vault: |-
     {
       "encryptionKMSType": "vaulttenantsa",
       [...]
       "vaultBackend": "kv"
     }
      3. Click Save.

What to do next

The storage class can be used to create encrypted persistent volumes. For more information, see Managing persistent volume claims.

Important: IBM works with the technology partners to provide this documentation as a service to the customers. However, IBM does not provide support for the HashiCorp product. For technical assistance with this product, contact HashiCorp.