Persistent volume encryption

Persistent volume (PV) encryption protects tenant data by securing RADOS Block Device (RBD) PVs through an encryption-enabled storage class. Configure access to an external key management system (KMS), such as Vault or CipherTrust, before creating the storage class.

PV encryption ensures data isolation and confidentiality between tenants (applications). Before you can use PV encryption, you must create a storage class for PV encryption. Persistent volume encryption is only available for RBD PVs.

Fusion Data Foundation supports storing encryption passphrases in HashiCorp Vault and Thales CipherTrust Manager. You can create an encryption-enabled storage class by using a KMS for persistent volume encryption. You need to configure access to the KMS before creating the storage class.