Encryption
IBM Storage Scale container native supports remote mount of an encrypted filesystem. Encryption is managed through use of encryption keys stored on key server.
The following key servers are supported:
- IBM Security Guardium Key Lifecycle Manager (SKLM)
EncryptionConfig spec
The following table describe the properties for EncryptionConfig:
| Property | Required | Default | Description |
|---|---|---|---|
metadata.name |
Yes | None | The name of the CR. |
server |
Yes | None | The key server host name or IP in which encryption keys are stored. |
backupServers |
No | None | The backup key servers configured for high availability. This field is optional. |
port |
No | None | It can be used to override the default port for the key server. |
cacert |
No | None | The ConfigMap storing CA and endpoint certificates used while adding/renewing key server certificate chain. |
secret |
Yes | None | The name of the basic-auth secret containing the username and password to the key server. |
tenant |
Yes | None | The tenant name on the key server that contains encryption keys. This has to be the same tenant name that is used to store the encryption keys of the remote storage file system. |
client |
Yes | None | The key client to communicate with the key Server. |
remoteRKM |
Yes | None | The RKM ID from the storage cluster corresponding to given key server and tenant. |
Deleting a EncryptionConfig custom resource does not delete the encryption configuration from the IBM Storage Scale container native cluster.
Updating client and tenant is not recommended as it causes loss of master encryption keys for that tenant.
For more information, enter the oc explain encryptionconfig.spec command.
EncryptionConfig status
Status Conditions can be viewed as a snapshot of the current and most up-to-date status of a EncryptionConfig instance.
- The
Successcondition is set toTrueif theEncryptionConfigis successfully configured.
Examples
To give IBM Storage Scale container native access to the encryption keyserver, an EncryptionConfig custom resource must be created. The configuration must add the same key server and tenant as configured on storage cluster hosting the
filesystem. You can define more than one EncryptionConfig custom resource.
For more information, see Encryption in IBM Storage Scale documentation.
Pre-requisites
-
Create a secret containing the administrator username and password credentials to the key server.
oc create secret generic keyserver-credentials -n ibm-spectrum-scale \ --from-literal=username=<keyserver_admin_name> \ --from-literal=password=<keyserver_admin_password> -
If using CA certificates, create the
ConfigMapholding the CA certificate chain.-
Obtain CA certificates and endpoint/server certificates. Separate the root certificate and the intermediate certificates into the following
.crtfiles:- Root certificate:
root.crt - Server or Endpoint certificate:
endpoint.crt - Intermediate certificates:
intermediate<numeric_index>.crt
- Root certificate:
-
Create the ConfigMap with the following command:
oc create ConfigMap sample-ca-cert \ --from-file=/path/to/root.crt \ --from-file=/path/to/intermediate1.crt \ --from-file=/path/to/intermediate2.crt \ --from-file=/path/to/intermediate3.crt \ --from-file=/path/to/endpoint.crt \ -n ibm-spectrum-scale
-
-
Encryption details from storage cluster, specifically, tenant and RKMID.
If the core pods are unable to resolve the IP address of the IBM SKLM server, you can add hostAliases entries in the Cluster custom resource. For more information, see Cluster.
Configure EncryptionConfig custom resource
The following steps describe creating a EncryptionConfig CR.
-
Download a copy of the sample
encryptionconfig.remote.yamlfrom the GitHub repository.curl -fs https://raw.githubusercontent.com/IBM/ibm-spectrum-scale-container-native/v5.2.1.x/generated/scale/cr/encryptionconfig/encryptionconfig.remote.yaml > encryptionconfig.remote.yaml || echo "Failed to download EncryptionConfig sample CR" -
Make changes specific to your installation. For more information about the
EncryptionConfigspecification, see EncryptionConfig spec.- Replace
keyserver.example.comwith your keyserver hostname - Replace
keyserver1.example.com, keyserver2.example.com, etc with your backup keyserver hostnames - Replace
sampleTenantwith your tenant name - Replace
sampleClientwith your client name - Replace
sampleRKMwith your RKMID -
If using self-signed certificates, comment out the
cacertfield in the spec
- Replace
-
Apply the cluster yaml using the following command:
oc apply -f encryptionconfig.remote.yaml
Once deployed, use the command oc edit encryptionconfig <encryptionconfig-name> -n ibm-spectrum-scale to modify properties of the resource.