Data encryption is suitable for scenarios that require high security or have compliance
requirements. You do not need to create or maintain the key management infrastructure.
Encrypted storage helps you ensure data privacy and autonomy when data is stored on
Elastic Compute Service (ECS) instances. This topic describes how to use the customer
master keys (CMKs) hosted in Key Management Service (KMS) and the keys hosted in Object
Storage Service (OSS) to encrypt data stored in OSS volumes.
Prerequisites
- A Container Service for Kubernetes (ACK) cluster is created and the CSI plug-in is
deployed in the cluster. For more information, see Create a managed Kubernetes cluster.
- An OSS bucket is created. For more information, see Create buckets.
Note Select the internal endpoint if the OSS bucket and the ECS instance are deployed in
the same region.
- KMS is activated. For more information, see Activate KMS.
- A kubectl client is connected to the cluster. For more information, see Connect to an ACK cluster by using kubectl.
Encryption methods
OSS volumes support server-side encryption and client-side encryption. ACK supports
only server-side encryption.
- Server-side encryption encrypts data before the data is stored in the disk of an Alibaba
Cloud data center, and automatically decrypts data when an object is downloaded.
- Client-side encryption allows you to use an SDK to encrypt data on the client side
before the data is uploaded to OSS.
OSS provides the following server-side encryption methods that you can use in different
scenarios:
- Use the default CMK or a specified CMK to encrypt OSS objects
- To use the default KMS-hosted CMK to encrypt OSS objects, set
HTTP X-OSS-server-side-encryption
to KMS
and do not set the CMK ID when you upload object files.
- To use a specified KMS-hosted CMK to encrypt OSS objects, set
HTTP X-OSS-server-side-encryption
to KMS
and set X-OSS-server-side-encryption-key-id
to your CMK ID
when you upload object files.
Notice You are charged when you call API operations to encrypt or decrypt data with KMS keys.
For more information about KMS billing, see
Billing.
This method is cost-effective because you do not need to send data to the KMS server
over networks to encrypt and decrypt data.
- Use an OSS-hosted key to encrypt OSS objects
- This encryption method is based on OSS and implemented as an attribute of objects.
- OSS generates and manages the keys that are used for data encryption based on the
industry standard AES-256 strong encryption algorithm.
- You must set
HTTP X-OSS-server-side-encryption
to AES256
when you upload object files.
Only one server-side encryption method can be used for an object at a time.
Encrypt an OSS volume
You can use OSSFS to configure encryption parameters for OSS volumes. The parameters
take effect when the OSS volume is mounted as a persistent volume (PV). For more information
about OSSFS installation and setup, see Install and set up OSSFS.
OSSFS supports the following three encryption methods:
Method 1: Use the default KMS-hosted CMK to encrypt OSS objects
- Create a file named kms-cmk-default.yaml and copy the following code to the file:
apiVersion: v1
kind: PersistentVolume
metadata:
name: oss-csi-pv
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: oss-csi-pv
volumeAttributes:
bucket: "python"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
akId: "LTAI4G6E3whAAKnzdRPx****"
akSecret: "uRJeIi0cbahgWOhxncpp54wR5b****"
path: "/"
encrypted: "kms"
Parameter |
Description |
akId |
AccessKey ID |
akSecret |
AccessKey Secret |
encrypted |
Specifies the encryption method.
- kms: specifies that the volume is encrypted by using KMS.
- aes256: specifies that the volume is encrypted by using the AES-256 algorithm.
|
- Run the following command to create an encrypted OSS volume:
kubectl create -f kms-cmk-default.yaml
- View the encrypted OSS volume in the ACK console.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose . On the Persistent Volumes page, verify that the encrypted OSS volume that you newly created is displayed.
Method 2: Use a specified KMS-hosted CMK to encrypt OSS objects
- Create a file named kms-cmk.yaml and copy the following code to the file:
apiVersion: v1
kind: PersistentVolume
metadata:
name: oss-csi-pv
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: oss-csi-pv
volumeAttributes:
bucket: "python"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
akId: "LTAI4G6E3whAAKnzdRPx****"
akSecret: "uRJeIi0cbahgWOhxncpp54wR5b****"
path: "/"
encrypted: "kms"
kmsKeyId: "1234abcd-12ab-34cd-56ef-12345678****"
- Run the following command to create an encrypted OSS volume:
kubectl create -f kms-cmk.yaml
- View the encrypted OSS volume in the ACK console.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose . On the Persistent Volumes page, verify that the encrypted OSS volume that you newly created is displayed.
Use an OSS-hosted key to encrypt OSS objects
- Create a file named sse-oss.yaml and copy the following code to the file:
apiVersion: v1
kind: PersistentVolume
metadata:
name: oss-csi-pv
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: oss-csi-pv
volumeAttributes:
bucket: "python"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
akId: "LTAI4G6E3whAAKnzdRPx****"
akSecret: "uRJeIi0cbahgWOhxncpp54wR5b****"
path: "/"
encrypted: "aes256"
- Run the following command to create an encrypted OSS volume:
kubectl create -f sse-oss.yaml
- View the encrypted OSS volume in the ACK console.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose . On the Persistent Volumes page, verify that the encrypted OSS volume that you newly created is displayed.