All Products
Search
Document Center

Container Service for Kubernetes:Encrypt disk volumes

Last Updated:Mar 20, 2024

After you enable the disk encryption feature, the system automatically encrypts data transmitted to a disk and decrypts the data when it is read. Disk encryption is suitable for scenarios that require high security or have compliance requirements. You can protect the privacy and autonomy of your data without the need to create and maintain a key management infrastructure. This topic describes how to use the keys that are hosted in Key Management Service (KMS) to encrypt data stored in disk volumes.

Prerequisites

Overview

ECS uses the industry-standard AES-256 algorithm to encrypt disks with keys. Encryption keys can be the service keys provided by KMS or your own keys created by using the BYOK feature. Encryption and decryption have minimal impacts on ECS instance performance. The following types of data are encrypted when you create an encrypted disk and attach it to an ECS instance. The data is decrypted when it is read. For more information, see Encrypt a data disk.

  • Static data stored on the encrypted disk.

  • Data transmitted between the encrypted disk and the instance, excluding data in the operating system.

  • Data transmitted from the ECS instance to a backend storage cluster.

  • All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.

  • All disks created from the encrypted snapshots.

Limits

  • You can encrypt the following categories of disks: enhanced SSDs, standard SSDs, ultra disks, and basic disks.

  • You cannot encrypt data in local disks.

  • You cannot directly convert unencrypted disks into encrypted disks.

  • You cannot directly convert encrypted disks into unencrypted disks.

Step 1 (optional): Authorize your ECS instance to access KMS

If you want to use keys that are created by using the BYOK feature, you must first authorize your ECS instance to access KMS. To do this, create a Resource Access Management (RAM) role and grant the required permissions to the role. To grant the required permission to a RAM user, perform the following operations:

  1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the Create Role panel, select Alibaba Cloud Service for the Select Trusted Entity parameter and click Next.

  5. Select Normal Service Role for the Role Type parameter.

  6. Enter AliyunECSDiskEncryptDefaultRole in the RAM Role Name field and select Elastic Compute Service as the trusted service.

  7. Click OK and then click Close.

  8. In the left-side navigation pane of the ACK console, choose Grants. Then, click Grant Permission.

  9. On the Grant Permission page, select Alibaba Cloud Account as the authorization scope. Enter AliyunECSDiskEncryptDefaultRole in the Principal field and click the role after it appears.

  10. Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunECSDiskEncryptCustomizedPolicy.

    The AliyunKMSFullAccess policy provides full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunECSDiskEncryptCustomizedPolicy:

    1. On the Grant Permission page, click Create Policy to go to the Create Policy page.

    2. On the Create Policy page, click the JSON tab and enter the following policy content in the code editor.

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "kms:DescribeKey",
                      "kms:GenerateDataKey",
                      "kms:Decrypt",
                      "kms:TagResource"
                  ],
                  "Resource": "*"
              }
          ]
      }
    3. Click Next to edit policy information, enter AliyunECSDiskEncryptCustomizedPolicy in the Name field, and then click OK.

  11. Click OK. Then, click Complete.

Step 2: Configure disk volume encryption

You can enable disk encryption only when you create a disk. When you mount or unmount a disk, no encryption-related operations are involved.

  1. Create a StorageClass.

    1. Create a file named sc-kms.yaml and copy the following code to the file:

      apiVersion: storage.k8s.io/v1
      kind: StorageClass
      metadata:
        name: csi-disk-encrypted
      provisioner: diskplugin.csi.alibabacloud.com
      parameters:
          fsType: ext4
          type: cloud_ssd
          encrypted: "true"
          kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      reclaimPolicy: Delete
      Note
      • encrypted: specifies whether to create an encrypted disk. A value of true specifies that the StorageClass is used to create an encrypted disk.

      • kmsKeyId: specifies the KMS key that is used to encrypt the disk. If you do not set this parameter, the default customer master key (CMK) is used. If the encrypted parameter is set to false, this parameter does not take effect.

    2. Run the following command to create a StorageClass:

      kubectl create -f sc-kms.yaml
    3. Run the following command to query the StorageClass:

      kubectl get sc csi-disk-encrypted

      Expected output:

      NAME                 PROVISIONER                       AGE
      csi-disk-encrypted   diskplugin.csi.alibabacloud.com   9m5s
  2. Create a persistent volume claim (PVC).

    1. Create a file named sc-pvc.yaml and add the following content to the file:

      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: disk-pvc
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
        storageClassName: csi-disk-encrypted
    2. Run the following command to create a PVC:

      kubectl create -f sc-pvc.yaml
    3. Run the following command to query the PVC:

      kubectl get pvc

      Expected output:

      NAME             STATUS   VOLUME                        CAPACITY   ACCESS MODES   STORAGECLASS             AGE
      disk-pvc         Bound    d-wz92s6d95go6ki9x****        25Gi       RWO            csi-disk-encrypted       10m
    4. Run the following command to query the persistent volume (PV) that is bound to the PVC:

      kubectl get pv

      Expected output:

      NAME                     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                STORAGECLASS        REASON        AGE
      d-wz92s6d95go6ki9x****   25Gi       RWO            Retain           Bound    default/disk-pvc     csi-disk-encrypted                10m

      The preceding output shows that a disk is created and the disk ID is d-wz92s6d95go6ki9x****.

  3. Check whether the disk is encrypted.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Storage & Snapshots > Disks.

    3. On the Disks page, verify that the d-wz92s6d95go6ki9x**** disk is in the Encrypted state.