Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volume Encryption #4

Closed
madhu-pillai opened this issue Feb 13, 2025 · 4 comments
Closed

Volume Encryption #4

madhu-pillai opened this issue Feb 13, 2025 · 4 comments

Comments

@madhu-pillai
Copy link

Hi,
Is there any way we can utilize the cex dev plugin to (luks) encrypt the additional volumes added to the openshift cluster?
eg: Customer wants additional disk to openshift cluster which needs to be encrypted using this cex dev plugin.
Thanks
@hfreude
Copy link
Contributor

hfreude commented Feb 14, 2025

Hi Madhu

First an (luks) encrypted disk is based on an dm-crypt setup on the volume and the container(s) need to have awareness about this and open it accordingly. Of course you also need some kind of key management to forward the key into the running container. This has in the beginning nothing to do with the cex-device-plugin.

If you want to be very secure you don't use clear keys but use "secure keys" available on z systems - and here the cex-device-plugin comes into the game. You need access to a HSM for your secure key to work and the cex-device-plugin
does exactly this - it makes one crypto endpoint (APQN) available within your container and you may need it to use your secure key to open your (secure key encrypted) luks volume.

For more details about how to use dm-crypt on z systems search for IBM docu "Pervasive Encryption for Data Volumes" (SC34-2782-04). There is no real difference between encrypted volumes handled on LPAR or zVM or KVM guests and within ocp containers. Just the additinal step that you need the cex-device-plugin to "forward" HSM access into the container. For these details I can refer to the docu available here or search for "Kubernetes device plug-in for IBM Crypto
Express (CEX) cards - Version 1.1.0 - Installation and User Guide".

@madhu-pillai
Copy link
Author

Hi Harald,

Thank you for the detailed explanation.

We have some how enabled the root volume encryption using secure key (CEX) in Ignition (as explained in the "Pervasive Encryption for Data Volumes" and waiting for this feature in OCP 4.19 release. If we add multiple disk during the OCP installation it encrypt all the device and works fine.

Now i am researching once the OCP is running and customer needs to add additional disk so that we can encrypt those disk too and use for storage provisioning in OCP. Presently OCP having Local Storage operator which does not offer any encryption in volume. Encrypting the disk using the CEX card is not feasible at the moment unless we do oc debug node/<node> and run all the data volume encryption commands, which is not recommended.

So I thought if we can leverage this cex device plugin to use here. Any alternative way or suggestion would be really appreciable.

Thanks

@hfreude
Copy link
Contributor

hfreude commented Feb 20, 2025

Well, I am not familiar with all the ocp features and operators and that stuff. Please understand the cex-device-plugin offers access to an HSM within "pods" running in the cluster. That's all. You can use this HSM access then to generate your own keys or as described in the "Pervasive Encryption" docu to set up disk encryption with secure/protected keys. But what you actually use the HSM access for is subject to upper layers. In your case maybe it would help to contact RedHat and get help from there.

@madhu-pillai
Copy link
Author

Thank you...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hfreude @madhu-pillai