Image Security

Available as of v1.4.0

Harvester v1.4.0 and later versions allow you to encrypt and decrypt virtual machine images. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup.

Prerequisites

Prepare the following resources:

  • Source virtual machine image: You can upload or create an image using any of the supported methods.

    Image Security - 图1caution

    Do not upload an encrypted image.

  • Secret: A Kubernetes secret is used as the passphrase of dm_crypt. You must specify the value of the CRYPTO_KEY_VALUE field. All other fields are fixed.

    Image Security - 图2

    Example of a secret:

    1. apiVersion: v1
    2. kind: Secret
    3. metadata:
    4. name: encryption
    5. namespace: default
    6. data:
    7. CRYPTO_KEY_CIPHER: aes-xts-plain64
    8. CRYPTO_KEY_HASH: sha256
    9. CRYPTO_KEY_PROVIDER: secret
    10. CRYPTO_KEY_SIZE: 256
    11. CRYPTO_KEY_VALUE: "Your encryption passphrase"
    12. CRYPTO_PBKDF: argon2i

    Image Security - 图3important

    The example contains the default YAML code for Kubernetes secrets. Aside from this, you can use encryption options for LUKS mode, which is a cryptsetup operating mode. Harvester v1.4.1 and later versions support these options, but you must verify that these are supported by your nodes.

    OptionPossible Values
    CRYPTO_KEY_CIPHERaes-xts-plain, aes-xts-plain64, aes-cbc-plain, aes-cbc-plain64, aes-cbc-essiv:sha256
    CRYPTO_KEY_HASHsha256, sha384, sha512
    CRYPTO_KEY_SIZE256, 384, 512
    CRYPTO_PBKDFargon2i, argon2id, pbkdf2

    You can create a secret in the system namespace using kubectl or the Harvester UI (Edit as YAML feature). Resources in the system namespace are not displayed on the Harvester UI Secrets screen.

  • StorageClass: Images are encrypted using Longhorn, so required fields must be passed to the Longhorn CSI Driver. You can specify the encryption secret when creating a StorageClass. For more information, see Image StorageClass.

    Image Security - 图4

    Example of a StorageClass:

    1. allowVolumeExpansion: true
    2. apiVersion: storage.k8s.io/v1
    3. kind: StorageClass
    4. metadata:
    5. name: encryption
    6. parameters:
    7. csi.storage.k8s.io/node-publish-secret-name: encryption
    8. csi.storage.k8s.io/node-publish-secret-namespace: default
    9. csi.storage.k8s.io/node-stage-secret-name: encryption
    10. csi.storage.k8s.io/node-stage-secret-namespace: default
    11. csi.storage.k8s.io/provisioner-secret-name: encryption
    12. csi.storage.k8s.io/provisioner-secret-namespace: default
    13. encrypted: "true"
    14. migratable: "true"
    15. numberOfReplicas: "3"
    16. staleReplicaTimeout: "2880"
    17. provisioner: driver.longhorn.io
    18. reclaimPolicy: Delete
    19. volumeBindingMode: Immediate

    Image Security - 图5important

    You can create a secret in the system namespace using the Harvester UI (Edit as YAML feature) and kubectl. Resources in the system namespace are not displayed on the Harvester UI Secrets screen.

Encrypt a Virtual Machine Image

  1. On the Harvester UI, go to Images.

  2. Click Create.

  3. Specify a namespace and a name.

  4. On the Basics tab, select Encrypt and then select a source image.

    Image Security - 图6

  5. On the Storage tab, select a StorageClass that includes encryption-related fields.

    Harvester passes the required fields to Longhorn.

    Image Security - 图7

  6. Click Create.

Decrypt a Virtual Machine Image

  1. On the Harvester UI, go to Images.

  2. Click Create.

  3. Specify a namespace and a name.

  4. On the Basics tab, select Decrypt and then select a source image.

    Image Security - 图8

  5. On the Storage tab, select harvester-longhorn (Default) or another commonly used StorageClass.

    Harvester uses the StorageClass of the source image that you want to decrypt.

    Image Security - 图9

  6. Click Create.

Use an Image with Encrypted Volumes

You must select the image that you want to use when creating a virtual machine.

Image Security - 图10

The Virtual Machines screen displays the following icons and messages when volumes used by virtual machines are encrypted.

Image Security - 图11

Image Security - 图12

To determine which volumes are encrypted, check the Volumes tab on the Virtual Machine details screen.

Image Security - 图13

Advanced Usage with Rancher Integration

The secret is an unencrypted Base64-encoded string. To keep the secret safe, you can use projects and namespaces to isolate permissions. For more information, see Multi-Tenancy.

Limitations

You cannot perform the following actions:

  • Export a new image from an encrypted image
  • Download an encrypted image
  • Upload an encrypted image