For more detail on encryption at rest in Ondat, see the reference page.

Enabling encryption on a volume

Encrypting a volume is done by simply creating a volume with the storageos.com/encryption=true label. This can be set on the PVC or on the PVC’s StorageClass.

This label is all that is needed. If it is present, the mutating admission webhook that runs as part of the Ondat API Manager will create the encryption key, link it to the PVC and store it in a secret.

Encryption is enabled when a volume is provisioned, and it can not be removed during during the volume’s lifetime.

An example encrypted volume

  • Option 1: Label the PVC

    Add the label in the PVC definition, for instance:

    apiVersion: v1
    kind: PersistentVolumeClaim
      name: encrypted-vol
        storageos.com/encryption: "true" # Label <-----
      storageClassName: "storageos"
        - ReadWriteOnce
          storage: 1G

    The encryption label as set on a PVC takes precedence over the encryption label as set on the PVC’s StorageClass.

  • Option 2: Add a parameter to the StorageClass

    Add a parameter to the StorageClass definition. This will cause the above label to be present on PVCs created using this StorageClass. For instance:

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
      name: storageos-encrypted
    provisioner: csi.storageos.com
    allowVolumeExpansion: true
      csi.storage.k8s.io/fstype: ext4
      storageos.com/encryption: "true"
      csi.storage.k8s.io/secret-name: storageos-api
      csi.storage.k8s.io/secret-namespace: storageos