Longhorn supports encrypted volumes by utilizing the linux kernel module via cryptsetup for the encryption. Further we use the Kubernetes secret mechanism for key storage, which can be further encrypted and guarded via appropriate permissions. An encrypted volume results in your data being encrypted while in transit as well as at rest, this also means that any backups taken from that volume are also encrypted.

Requirements

To be able to use encrypted volumes, you will need to have the dm_crypt kernel module loaded and installed on your worker nodes.

Setting up Kubernetes Secrets

Volume encryption utilizes Kubernetes secrets for encryption key storage. To configure the secret that will be used for an encrypted volume, you will need to specify the secret as part of the parameters of a storage class. This mechanism is provided by Kubernetes and allows the usage of some template parameters that will be resolved as part of volume creation.

Example secret your encryption keys are specified as part of the CRYPTO_KEY_VALUE parameter. We use stringData as type here so we don’t have to base64 encoded before submitting the secret via .

Example storage class (global key for all volumes)

Example storage class (per volume key)

Using an encrypted volume

After creation of the PVC it will remain in Pending state till the associated secret has been created and can be retrieved by the csi external-provisioner sidecar. Afterwards the regular volume creation flow will take over and the encryption will be transparently used so no additional actions are needed from the user.

Filesystem expansion

Longhorn supports offline for encrypted volumes.

History

Available since v1.2.0