All Products
Search
Document Center

Container Service for Kubernetes:Encrypt an OSS volume

Last Updated:Nov 07, 2023

Data encryption is suitable for scenarios that require high security or have compliance requirements. You do not need to create or maintain the key management infrastructure. Encrypted storage helps you ensure data privacy and autonomy when data is stored on Elastic Compute Service (ECS) instances. This topic describes how to use the customer master keys (CMKs) hosted in Key Management Service (KMS) and the keys hosted in Object Storage Service (OSS) to encrypt data stored in OSS volumes.

Prerequisites

Encryption methods

OSS volumes support server-side encryption and client-side encryption. ACK supports only server-side encryption.

  • Server-side encryption encrypts data before the data is stored in the disk of an Alibaba Cloud data center, and automatically decrypts data when an object is downloaded.

  • Client-side encryption allows you to use an SDK to encrypt data on the client side before the data is uploaded to OSS.

The following table describes the server-side encryption methods that you can use in different scenarios.

  • Use the default CMK or the specified CMK to encrypt OSS objects

    • Use the default CMK to encrypt OSS objects: set HTTP X-OSS-server-side-encryption to KMS and do not set the CMK ID when you upload objects.

    • Use the specified CMK to encrypt OSS objects: set HTTP X-OSS-server-side-encryption to KMS and set X-OSS-server-side-encryption-key-id to your CMK ID when you upload objects.

    Important

    You are charged when you call API operations to encrypt or decrypt data with KMS keys. For more information, see Billing of KMS.

    This method is cost-effective because you do not need to send data to the KMS server for encryption and decryption.

  • Use an OSS-hosted key to encrypt OSS objects

    • This encryption method uses OSS-hosted keys and is an attribute of objects.

    • OSS generates and manages the keys that are used for data encryption based on the industry standard AES-256 strong encryption algorithm.

    • You must set HTTP X-OSS-server-side-encryption to AES256 when you upload objects.

Only one server-side encryption method can be used for an object at a time.

Encrypt an OSS volume

You can use OSSFS to configure encryption parameters for OSS volumes. The parameters take effect when the OSS volume is mounted as a persistent volume (PV). For more information about OSSFS installation and setup, see Install and set up OSSFS.

OSSFS allows you to use the following methods to encrypt OSS objects:

Method 1: Use the default KMS-hosted CMK to encrypt OSS objects

  1. Create a file named kms-cmk-default.yaml and copy the following code to the file:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: oss-csi-pv
    spec:
      capacity:
        storage: 5Gi
      accessModes:
        - ReadOnlyMany
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: oss-csi-pv
        volumeAttributes:
          bucket: "python"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o umask=022 -o max_stat_cache_size=0 -o allow_other"
          akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID. 
          akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey secret. 
          path: "/"
          encrypted: "kms"

    Parameter

    Description

    akId

    AccessKey ID

    akSecret

    AccessKey Secret

    encrypted

    Specifies the encryption method.

    • kms: specifies that the volume is encrypted by using KMS.

    • aes256: specifies that the volume is encrypted by using the AES-256 algorithm.

  2. Run the following command to create an encrypted OSS volume:

    kubectl create -f kms-cmk-default.yaml
  3. View the encrypted OSS volume in the ACK console.

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    4. In the left-side navigation pane of the details page, choose Volumes > Persistent Volumes. On the Persistent Volumes page, verify that the encrypted OSS volume that you newly created is displayed.

Method 2: Use the specified KMS-hosted CMK to encrypt OSS objects

  1. Grant the RAM user the permissions to access KMS.

    To use the specified CMK to encrypt OSS objects, you must authorize the RAM user of the AccessKey pair used by the PV to access KMS. To do this, perform the following steps: For more information, see Server-side encryption.

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to whom you want to grant the permissions, and click Add Permissions in the Actions column.

    4. Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunOSSEncryptCustomizedPolicy.

      The AliyunKMSFullAccess policy provides full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunOSSEncryptCustomizedPolicy. For more information, see Create a custom policy.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey",
              "kms:GenerateDataKey",
              "kms:Decrypt"
            ],
            "Resource": [
              "acs:kms:*:141661496593****:*" // The RAM user is allowed to use all CMKs that belong to the Alibaba Cloud account. To allow the RAM user to use only the specified CMK, enter the CMK ID. 
            ]
          }
        ]
      }
    5. Click OK. Then, click Complete.

  2. Create a file named kms-cmk.yaml and copy the following code to the file:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: oss-csi-pv
    spec:
      capacity:
        storage: 5Gi
      accessModes:
        - ReadOnlyMany
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: oss-csi-pv
        volumeAttributes:
          bucket: "python"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o umask=022 -o max_stat_cache_size=0 -o allow_other"
          akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID. 
          akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey secret. 
          path: "/"
          encrypted: "kms"
          kmsKeyId: "<YourKMS KeyID>"          # Replace with your KMS ID.
  3. Run the following command to create an encrypted OSS volume:

    kubectl create -f kms-cmk.yaml
  4. View the encrypted OSS volume in the ACK console.

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    4. In the left-side navigation pane of the details page, choose Volumes > Persistent Volumes. On the Persistent Volumes page, verify that the encrypted OSS volume that you create is displayed.

Use an OSS-hosted key to encrypt OSS objects

  1. Create a file named sse-oss.yaml and copy the following code to the file:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: oss-csi-pv
    spec:
      capacity:
        storage: 5Gi
      accessModes:
        - ReadWriteOnce
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: oss-csi-pv
        volumeAttributes:
          bucket: "python"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          akId: "<YourAccessKey ID>"             # Replace with your AccessKey ID. 
          akSecret: "<YourAccessKey Secret>"     # Replace with your AccessKey secret. 
          path: "/"
          encrypted: "aes256"
  2. Run the following command to create an encrypted OSS volume:

    kubectl create -f sse-oss.yaml
  3. View the encrypted OSS volume in the ACK console.

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.

    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    4. In the left-side navigation pane of the details page, choose Volumes > Persistent Volumes. On the Persistent Volumes page, verify that the encrypted OSS volume that you newly created is displayed.