For more detail on encryption at rest in Ondat, see the reference page.
Enabling encryption on a volume
Encrypting a volume is done by simply creating a volume with the
storageos.com/encryption=true label. This can be set on the PVC or on
the PVC’s StorageClass.
This label is all that is needed. If it is present, the mutating admission webhook that runs as part of the Ondat API Manager will create the encryption key, link it to the PVC and store it in a secret.
Encryption is enabled when a volume is provisioned, and it can not be removed during during the volume’s lifetime.
An example encrypted volume
Option 1: Label the PVC
Add the label in the PVC definition, for instance:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: encrypted-vol labels: storageos.com/encryption: "true" # Label <----- spec: storageClassName: "storageos" accessModes: - ReadWriteOnce resources: requests: storage: 1G
The encryption label as set on a PVC takes precedence over the encryption label as set on the PVC’s StorageClass.
Option 2: Add a parameter to the StorageClass
Add a parameter to the StorageClass definition. This will cause the above label to be present on PVCs created using this StorageClass. For instance:
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: storageos-encrypted provisioner: csi.storageos.com allowVolumeExpansion: true parameters: csi.storage.k8s.io/fstype: ext4 storageos.com/encryption: "true" csi.storage.k8s.io/secret-name: storageos-api csi.storage.k8s.io/secret-namespace: storageos