Encryption
IBM Storage Scale container native supports remote mount of an encrypted filesystem. Encryption is managed through use of encryption keys stored on key server.
The following key servers are supported:
- IBM Security Guardium Key Lifecycle Manager (SKLM)
EncryptionConfig spec
The following table describe the properties for EncryptionConfig
:
Property | Required | Default | Description |
---|---|---|---|
metadata.name |
Yes | None | The name of the CR. |
server |
Yes | None | The key server host name or IP in which encryption keys are stored. |
backupServers |
No | None | The backup key servers configured for high availability. This field is optional. |
port |
No | None | It can be used to override the default port for the key server. |
cacert |
No | None | The ConfigMap storing CA and endpoint certificates used while adding/renewing key server certificate chain. |
secret |
Yes | None | The name of the basic-auth secret containing the username and password to the key server. |
tenant |
Yes | None | The tenant name on the key server that contains encryption keys. This has to be the same tenant name that is used to store the encryption keys of the remote storage file system. |
client |
Yes | None | The key client to communicate with the key Server. |
remoteRKM |
Yes | None | The RKM ID from the storage cluster corresponding to given key server and tenant. |
Deleting a EncryptionConfig
custom resource does not delete the encryption configuration from the IBM Storage Scale container native cluster.
Updating client
and tenant
is not recommended as it causes loss of master encryption keys for that tenant.
For more information, enter the oc explain encryptionconfig.spec
command.
EncryptionConfig status
Status Conditions
can be viewed as a snapshot of the current and most up-to-date status of a EncryptionConfig
instance.
- The
Success
condition is set toTrue
if theEncryptionConfig
is successfully configured.
Examples
To give IBM Storage Scale container native access to the encryption keyserver, an EncryptionConfig
custom resource must be created. The configuration must add the same key server and tenant as configured on storage cluster hosting the
filesystem. You can define more than one EncryptionConfig
custom resource.
For more information, see Encryption in IBM Storage Scale documentation.
Pre-requisites
-
Create a secret containing the administrator username and password credentials to the key server.
oc create secret generic keyserver-credentials -n ibm-spectrum-scale \ --from-literal=username=<keyserver_admin_name> \ --from-literal=password=<keyserver_admin_password>
-
If using CA certificates, create the
ConfigMap
holding the CA certificate chain.-
Obtain CA certificates and endpoint/server certificates. Separate the root certificate and the intermediate certificates into the following
.crt
files:- Root certificate:
root.crt
- Server or Endpoint certificate:
endpoint.crt
- Intermediate certificates:
intermediate<numeric_index>.crt
- Root certificate:
-
Create the ConfigMap with the following command:
oc create ConfigMap sample-ca-cert \ --from-file=/path/to/root.crt \ --from-file=/path/to/intermediate1.crt \ --from-file=/path/to/intermediate2.crt \ --from-file=/path/to/intermediate3.crt \ --from-file=/path/to/endpoint.crt \ -n ibm-spectrum-scale
-
-
Encryption details from storage cluster, specifically, tenant and RKMID.
If the core pods are unable to resolve the IP address of the IBM SKLM server, you can add hostAliases
entries in the Cluster
custom resource. For more information, see Cluster.
Configure EncryptionConfig custom resource
The following steps describe creating a EncryptionConfig
CR.
-
Download a copy of the sample
encryptionconfig.remote.yaml
from the GitHub repository.curl -fs https://raw.githubusercontent.com/IBM/ibm-spectrum-scale-container-native/v5.2.1.x/generated/scale/cr/encryptionconfig/encryptionconfig.remote.yaml > encryptionconfig.remote.yaml || echo "Failed to download EncryptionConfig sample CR"
-
Make changes specific to your installation. For more information about the
EncryptionConfig
specification, see EncryptionConfig spec.- Replace
keyserver.example.com
with your keyserver hostname - Replace
keyserver1.example.com, keyserver2.example.com
, etc with your backup keyserver hostnames - Replace
sampleTenant
with your tenant name - Replace
sampleClient
with your client name - Replace
sampleRKM
with your RKMID -
If using self-signed certificates, comment out the
cacert
field in the spec
- Replace
-
Apply the cluster yaml using the following command:
oc apply -f encryptionconfig.remote.yaml
Once deployed, use the command oc edit encryptionconfig <encryptionconfig-name> -n ibm-spectrum-scale
to modify properties of the resource.