Encryption

IBM Storage Scale container native supports remote mount of an encrypted filesystem. Encryption is managed through use of encryption keys stored on key server.

The following key servers are supported:

EncryptionConfig spec

The following table describe the properties for EncryptionConfig:

Table 1. EncryptionConfig property and description
Property Required Default Description
metadata.name Yes None The name of the CR.
server Yes None The key server host name or IP in which encryption keys are stored.
backupServers No None The backup key servers configured for high availability. This field is optional.
port No None It can be used to override the default port for the key server.
cacert No None The ConfigMap storing CA and endpoint certificates used while adding/renewing key server certificate chain.
secret Yes None The name of the basic-auth secret containing the username and password to the key server.
tenant Yes None The tenant name on the key server that contains encryption keys. This has to be the same tenant name that is used to store the encryption keys of the remote storage file system.
client Yes None The key client to communicate with the key Server.
remoteRKM Yes None The RKM ID from the storage cluster corresponding to given key server and tenant.

Deleting a EncryptionConfig custom resource does not delete the encryption configuration from the IBM Storage Scale container native cluster.

Updating client and tenant is not recommended as it causes loss of master encryption keys for that tenant.

For more information, enter the oc explain encryptionconfig.spec command.

EncryptionConfig status

Status Conditions can be viewed as a snapshot of the current and most up-to-date status of a EncryptionConfig instance.

Examples

To give IBM Storage Scale container native access to the encryption keyserver, an EncryptionConfig custom resource must be created. The configuration must add the same key server and tenant as configured on storage cluster hosting the filesystem. You can define more than one EncryptionConfig custom resource.

For more information, see Encryption in IBM Storage Scale documentation.

Pre-requisites

If the core pods are unable to resolve the IP address of the IBM SKLM server, you can add hostAliases entries in the Cluster custom resource. For more information, see Cluster.

Configure EncryptionConfig custom resource

The following steps describe creating a EncryptionConfig CR.

  1. Download a copy of the sample encryptionconfig.remote.yaml from the GitHub repository.

     curl -fs https://raw.githubusercontent.com/IBM/ibm-spectrum-scale-container-native/v5.2.1.x/generated/scale/cr/encryptionconfig/encryptionconfig.remote.yaml > encryptionconfig.remote.yaml || echo "Failed to download EncryptionConfig sample CR"
    
  2. Make changes specific to your installation. For more information about the EncryptionConfig specification, see EncryptionConfig spec.

    • Replace keyserver.example.com with your keyserver hostname
    • Replace keyserver1.example.com, keyserver2.example.com, etc with your backup keyserver hostnames
    • Replace sampleTenant with your tenant name
    • Replace sampleClient with your client name
    • Replace sampleRKM with your RKMID
    • If using self-signed certificates, comment out the cacert field in the spec

  3. Apply the cluster yaml using the following command:

    oc apply -f encryptionconfig.remote.yaml
    

Once deployed, use the command oc edit encryptionconfig <encryptionconfig-name> -n ibm-spectrum-scale to modify properties of the resource.