How to use an OSS-hosted key to encrypt an OSS volume - Container Service for Kubernetes

Data encryption is suitable for scenarios that require high security or have compliance requirements. You do not need to create or maintain the key management infrastructure. Encrypted storage helps you ensure data privacy and autonomy when data is stored on Elastic Compute Service (ECS) instances. This topic describes how to use the customer master keys (CMKs) hosted in Key Management Service (KMS) and the keys hosted in Object Storage Service (OSS) to encrypt data stored in OSS volumes.

Prerequisites

CSI plug-ins are installed in the cluster by default. For more information about how to update them, see Update csi-plugin and csi-provisioner.
Note
If you have FlexVolume installed in your cluster, migrate from FlexVolume to CSI first, since Flexvolume has been deprecated. You can verify the volume plug-in by navigating to the Storage tab under Operatioins > Add-ons in the console.
An OSS bucket is created. For more information, see Create buckets.
Note
Select the internal endpoint if the OSS bucket and the ECS instance are deployed in the same region.
KMS is activated. For more information, see Purchase a dedicated KMS instance.
A kubectl client is connected to the ACK cluster. For more information, see Step 2: Select a type of cluster credentials.

Encryption methods

OSS volumes support server-side encryption and client-side encryption. ACK supports only server-side encryption.

Server-side encryption encrypts data before the data is stored in the disk of an Alibaba Cloud data center, and automatically decrypts data when an object is downloaded.
Client-side encryption allows you to use an SDK to encrypt data on the client side before the data is uploaded to OSS.

The following table describes the server-side encryption methods that you can use in different scenarios.

Use the default CMK or the specified CMK to encrypt OSS objects
- Use the default CMK to encrypt OSS objects: set HTTP X-OSS-server-side-encryption to KMS and do not set the CMK ID when you upload objects.
- Use the specified CMK to encrypt OSS objects: set HTTP X-OSS-server-side-encryption to KMS and set X-OSS-server-side-encryption-key-id to your CMK ID when you upload objects.
Important
You are charged when you call API operations to encrypt or decrypt data with KMS keys. For more information, see Billing of KMS.
This method is cost-effective because you do not need to send data to the KMS server for encryption and decryption.
Use an OSS-hosted key to encrypt OSS objects
- This encryption method uses OSS-hosted keys and is an attribute of objects.
- OSS generates and manages the keys that are used for data encryption based on the industry standard AES-256 strong encryption algorithm.
- You must set HTTP X-OSS-server-side-encryption to AES256 when you upload objects.

Only one server-side encryption method can be used for an object at a time.

Encrypt an OSS volume

You can use OSSFS to configure encryption parameters for OSS volumes. The parameters take effect when the OSS volume is mounted as a persistent volume (PV). For more information about OSSFS installation and setup, see Install and set up OSSFS.

OSSFS allows you to use the following methods to encrypt OSS objects:

Method 1: Use the default KMS-hosted CMK to encrypt OSS objects

Create a file named kms-cmk-default.yaml and copy the following code to the file:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadOnlyMany
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o umask=022 -o max_stat_cache_size=0 -o allow_other"
      akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID. 
      akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey secret. 
      path: "/"
      encrypted: "kms"

Parameter	Description
akId	AccessKey ID
akSecret	AccessKey Secret
encrypted	Specifies the encryption method. kms: KMS. aes256: AES-256 algorithm.

Run the following command to create an encrypted OSS volume:
```
kubectl create -f kms-cmk-default.yaml
```
View the encrypted OSS volume on the Persistent Volumes page.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Volumes > Persistent Volumes.

Method 2: Use the specified KMS-hosted CMK to encrypt OSS objects

Grant the RAM user the permissions to access KMS.
To use the specified CMK to encrypt OSS objects, you must authorize the RAM user of the AccessKey pair used by the PV to access KMS. To do this, perform the following steps: For more information, see Server-side encryption.
1. Log on to the RAM console by using an Alibaba Cloud account.
  Note
  An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create a RAM user as an account administrator.
2. In the left-side navigation pane, choose Identities > Users.
3. On the Users page, find the RAM user to whom you want to grant the permissions, and click Add Permissions in the Actions column.
4. Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunOSSEncryptCustomizedPolicy.
  Important
  The AliyunKMSFullAccess policy provides full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunOSSEncryptCustomizedPolicy. For more information, see Create a custom policy.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": [
        "acs:kms:*:141661496593****:*" // The RAM user is allowed to use all CMKs that belong to the Alibaba Cloud account. To allow the RAM user to use only the specified CMK, enter the CMK ID. 
      ]
    }
  ]
}
```
5. Click Grant permissions. Then, click Close.

Create a file named kms-cmk.yaml and copy the following code to the file:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadOnlyMany
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o umask=022 -o max_stat_cache_size=0 -o allow_other"
      akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID. 
      akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey secret. 
      path: "/"
      encrypted: "kms"
      kmsKeyId: "<YourKMS KeyID>"          # Replace with your KMS ID.

Run the following command to create an encrypted OSS volume:
```
kubectl create -f kms-cmk.yaml
```
View the encrypted OSS volume on the Persistent Volumes page.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Volumes > Persistent Volumes.

Use an OSS-hosted key to encrypt OSS objects

Create a file named sse-oss.yaml and copy the following code to the file:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      akId: "<YourAccessKey ID>"             # Replace with your AccessKey ID. 
      akSecret: "<YourAccessKey Secret>"     # Replace with your AccessKey secret. 
      path: "/"
      encrypted: "aes256"

Run the following command to create an encrypted OSS volume:
```
kubectl create -f sse-oss.yaml
```
View the encrypted OSS volume on the Persistent Volumes page.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Volumes > Persistent Volumes.