Data encryption
Data encryption
For data encryption at rest, the following options are supported:
-
Portworx enterprise
- OpenShift Container Storage
- NFS
IBM Cloud File Storage is not supported.
To support data encryption, use one of the following methods:
Portworx enterprise
Portworx enterprise supports the following methods:
Using a secure storage class:
Watson Machine Learning Accelerator automatically creates PVs when installing the service. Prior to installing the service, update the StorageClass to include the secure parameter in the parameters section and set it to true (secure: "true"). For example:kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: px-secure-sc provisioner: kubernetes.io/portworx-volume parameters: secure: "true" repl: "1" sharedv4: "true" allowVolumeExpansion: trueWatson Machine Learning Accelerator PVs are automatically created as encrypted volumes. To verify that the volumes are encrypted, run:# kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl volume list- Replace $PX_POD with the pod name and use the namespace where Portworx is
installed, for example, kube-system: :
PX_POD=$(oc get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
ID NAME SIZE HA SHARED ENCRYPTED PROXY-VOLUME IO_PRIORITY STATUS SNAP-ENABLED 493086834674820561 pvc-0543222d-5e6c-45fa-b03f-dbfb79e70c4c 15 GiB 1 v4 yes no HIGH up - attached on 10.17.91.67 no 257169161396831496 pvc-739eee29-8cba-4543-aa2e-f4b2621784a8 10 GiB 1 v4 yes no HIGH up - attached on 10.17.92.67 no 330290962982216747 pvc-7ef41c1a-33d1-4652-bbed-bb9b76cbaeaf 20 GiB 1 v4 yes no HIGH up - attached on 10.17.81.83 no 310289948074939539 pvc-9f66b90d-faae-4066-9f5c-fa800489b4b3 10 GiB 1 v4 yes no HIGH up - attached on 10.17.81.83 no 935432230509016835 pvc-e4584f4f-fba7-4bec-a881-b63a001dbbd4 20 GiB 1 v4 yes no HIGH up - attached on 10.17.91.67 no- Replace $PX_POD with the pod name and use the namespace where Portworx is
installed, for example, kube-system: :
- Get a list of the
PVs:
# oc get pvc -n wmla-namespaceNAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE wmla-conda Bound pvc-7ef41c1a-33d1-4652-bbed-bb9b76cbaeaf 20Gi RWX px-secure-sc 83m wmla-cws-share Bound pvc-0543222d-5e6c-45fa-b03f-dbfb79e70c4c 15Gi RWX px-secure-sc 90m wmla-edi Bound pvc-739eee29-8cba-4543-aa2e-f4b2621784a8 10Gi RWX px-secure-sc 63m wmla-logging Bound pvc-9f66b90d-faae-4066-9f5c-fa800489b4b3 10Gi RWX px-secure-sc 88m wmla-mygpfs Bound pvc-e4584f4f-fba7-4bec-a881-b63a001dbbd4 20Gi RWX px-secure-sc 87m
- Using
annotations with Kubernetes secrets:
Watson Machine Learning Accelerator
can support to encrypt data per volume. Users need to specify
encryption.type: portworxin Watson Machine Learning Accelerator CR and there is no any change in StorageClass. For example,
During Watson Machine Learning Accelerator deployment, the administrator can create their own secret in the Watson Machine Learning Accelerator namespace. For example:apiVersion: spectrumcomputing.ibm.com/v1 kind: Wmla metadata: name: wmla namespace: "wmla" spec: ... encryption: type: portworxapiVersion: v1 data: wmla-secure-pvc: <base64 encode data> kind: Secret metadata: name: "wmla-px-secret" type: OpaqueNote: The data key name of the Secret object for the secure WML Accelerator namespace must be kept as wmla-secure-pvc and the secret name must be kept as wmla-px-secret. Portworx uses wmla-secure-pvc to create the encrypted PVCs.
OpenShift Container Storage
OpenShift Container Storage supports the following encryption methods:
-
Enable encryption in the CR file:
Set encryption to enable: true in the CR file. For example:apiVersion: ocs.openshift.io/v1 kind: StorageCluster metadata: name: ocs-storagecluster namespace: openshift-storage spec: encryption: enable: true manageNodes: false monDataDirHostPath: /var/lib/rook storageDeviceSets: - count: 1 dataPVCTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 200Gi storageClassName: localblock volumeMode: Block name: ocs-deviceset placement: {} portable: false replica: 3 resources: {} - Creating a storage cluster using the Openshift Web Console:
After installing the OpenShift Container Storage operator, create a storage cluster where data encryption is enabled. See Installing the OCS operator.
NFS server
NFS supports the use of LUKS encryption. The LUKS format is the default encryption for block
devices in RHEL. To encrypt a block device using NFS Server, see the following:
- In my example, the vdb1
device is selected to enable LUKS disk encryption. To see all available devices, issue the following
command:
# lsblk -lNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 250G 0 disk vda1 252:1 0 1G 0 part /boot vda2 252:2 0 249G 0 part vdb 252:16 0 250G 0 disk vdb1 252:17 0 250G 0 part rhel-root 253:0 0 233G 0 lvm / rhel-swap 253:1 0 16G 0 lvm [SWAP] - Setup a partition as an encrypted LUKS
partition:
# cryptsetup luksFormat /dev/vdb1 WARNING! ======== This will overwrite data on /dev/vdb1 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/vdb1: Verify passphrase: Passphrases do not match. # cryptsetup luksFormat /dev/vdb1 WARNING! ======== This will overwrite data on /dev/vdb1 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/vdb1: Verify passphrase: - Open an encrypted LUKS partition:
# cryptsetup open /dev/vdb1 vdb1_encrypted Enter passphrase for /dev/vdb1: - To write encrypted data to the partition, it must be accessed through the device mapped name. To
do this, you must create a filesystem. For
example:
# mkfs -t ext4 /dev/mapper/vdb1_encrypted mke2fs 1.45.6 (20-Mar-2020) Creating filesystem with 65531904 4k blocks and 16384000 inodes Filesystem UUID: 85e78fda-58c9-423f-9c08-03f90195f9e1 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done - Mount the device:
# mount /dev/mapper/vdb1_encrypted /data # lsblk -l NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 250G 0 disk vda1 252:1 0 1G 0 part /boot vda2 252:2 0 249G 0 part vdb 252:16 0 250G 0 disk vdb1 252:17 0 250G 0 part rhel-root 253:0 0 233G 0 lvm / rhel-swap 253:1 0 16G 0 lvm [SWAP] vdb1_encrypted 253:2 0 250G 0 crypt /data - Make the mount point as NFS storage:
# df -h /data Filesystem Size Used Avail Use% Mounted on /dev/mapper/vdb1_encrypted 246G 15G 218G 7% /data # showmount -e Export list for xpan-vm.fyre.ibm.com: /data * - Create a StorageClass resource using the mount
point:
# oc get sc/managed-nfs-storage-luks2 -o yaml apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: creationTimestamp: "2021-05-08T06:39:42Z" managedFields: - apiVersion: storage.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:parameters: .: {} f:archiveOnDelete: {} f:provisioner: {} f:reclaimPolicy: {} f:volumeBindingMode: {} manager: oc operation: Update time: "2021-05-08T06:39:42Z" name: managed-nfs-storage-luks2 resourceVersion: "1438164" selfLink: /apis/storage.k8s.io/v1/storageclasses/managed-nfs-storage-luks2 uid: e5033c5a-6f15-4e41-beb7-34534cb31712 parameters: archiveOnDelete: "false" provisioner: fuseim.pri/luks2 reclaimPolicy: Delete volumeBindingMode: Immediate - Verify that the NFS client provisioned pod uses the mount point, for
example:
# oc get pod/nfs-client-encryption-698f5b6895-2fzjf -o json -n default | jq .spec.volumes { "volumes": [ { "name": "nfs-client-root", "nfs": { "path": "/data/cloudpak", "server": "10.11.98.142" } }, { "name": "nfs-client-encryption-token-lp7b9", "secret": { "defaultMode": 420, "secretName": "nfs-client-encryption-token-lp7b9" } } ] } - Create WML Accelerator CR using
managed-nfs-storage-luks2as the storage class. - Verify WML Accelerator PVCs to use the storage class after
installation:
# oc get pvcNAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE wmla-conda Bound pvc-dd9d3337-91c7-4513-865a-b8218312e1b7 20Gi RWX managed-nfs-storage-luks2 6h39m wmla-cws-share Bound pvc-b252a581-1534-4376-9a38-c12783ad9f40 15Gi RWX managed-nfs-storage-luks2 6h40m wmla-edi Bound pvc-b1838104-7d6a-4ea3-b756-2ea96e1927d1 10Gi RWX managed-nfs-storage-luks2 6h37m wmla-infoservice Bound pvc-47a7535a-bcdf-4f5c-8468-780caf5db60c 4Gi RWX managed-nfs-storage-luks2 6h38m wmla-logging Bound pvc-0a070b7d-54dd-4dbc-8899-ea45c81d74ab 10Gi RWX managed-nfs-storage-luks2 6h39m wmla-mygpfs Bound pvc-064329ce-f885-491c-bbda-312c5acb1849 20Gi RWX managed-nfs-storage-luks2 6h39m - Inside service or job pod, the files on PV store in mount point of
/data/cloudpak at NFS server (for example, 10.11.98.142).
It will be the same as the settings in the storage class.
- Service pod:
# oc exec -n wmla deploy/wmla-dlpd -c dlpd -- df -h /wmla-logging Filesystem Size Used Avail Use% Mounted on 10.11.98.142:/data/cloudpak/wmla-wmla-logging-pvc-cdf8a1fa-f5dc-42ae-94ac-4d6bcad4a8ac 246G 31G 202G 14% /wmla-logging# oc exec -n wmla deploy/wmla-dlpd -c dlpd -- ls -l /wmla-logging total 8 drwxr-xr-x. 2 1000630000 1000630000 4096 May 11 15:52 dli drwxr-xr-x. 2 1000630000 1000630000 4096 May 11 15:52 notebook - Workload
pod:
# oc exec pod/wmla-3-task12n-9tdx7 -- df -h /gpfs/myresultfs/adminFilesystem Size Used Avail Use% Mounted on 10.11.98.142:/data/cloudpak/wmla-wmla-mygpfs-pvc-cc65012d-bc2e-413e-b930-71c3641d199e/myresultfs/admin 490G 24G 467G 5% /gpfs/myresultfs/admin
- Service pod: