Volume Security

Available as of v1.4.0

Harvester v1.4.0 and later versions allow you to encrypt and decrypt virtual machine images. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup.

Prerequisites

Prepare the following resources:

  • Secret: A Kubernetes secret is used as the passphrase of dm_crypt. You must specify the value of the CRYPTO_KEY_VALUE field. All other fields are fixed.

    Volume Security - 图1

    Example Secret:

    1. apiVersion: v1
    2. kind: Secret
    3. metadata:
    4. name: encryption
    5. namespace: default
    6. data:
    7. CRYPTO_KEY_CIPHER: aes-xts-plain64
    8. CRYPTO_KEY_HASH: sha256
    9. CRYPTO_KEY_PROVIDER: secret
    10. CRYPTO_KEY_SIZE: 256
    11. CRYPTO_KEY_VALUE: "Your encryption passphrase"
    12. CRYPTO_PBKDF: argon2i

    Volume Security - 图2important

    You can create a secret in the system namespace using kubectl or the Harvester UI (Edit as YAML feature). Resources in the system namespace are not displayed on the Harvester UI Secrets screen.

  • StorageClass: Images are encrypted using Longhorn, so required fields must be passed to the Longhorn CSI Driver. You can specify the encryption secret when creating a StorageClass. For more information, see Image StorageClass.

    Volume Security - 图3

    Example of a StorageClass:

    1. allowVolumeExpansion: true
    2. apiVersion: storage.k8s.io/v1
    3. kind: StorageClass
    4. metadata:
    5. name: encryption
    6. parameters:
    7. csi.storage.k8s.io/node-publish-secret-name: encryption
    8. csi.storage.k8s.io/node-publish-secret-namespace: default
    9. csi.storage.k8s.io/node-stage-secret-name: encryption
    10. csi.storage.k8s.io/node-stage-secret-namespace: default
    11. csi.storage.k8s.io/provisioner-secret-name: encryption
    12. csi.storage.k8s.io/provisioner-secret-namespace: default
    13. encrypted: "true"
    14. migratable: "true"
    15. numberOfReplicas: "3"
    16. staleReplicaTimeout: "2880"
    17. provisioner: driver.longhorn.io
    18. reclaimPolicy: Delete
    19. volumeBindingMode: Immediate

    Volume Security - 图4important

    The example contains the default YAML code for Kubernetes secrets. Aside from this, you can use encryption options for LUKS mode, which is a cryptsetup operating mode. Harvester v1.4.1 and later versions support these options, but you must verify that these are supported by your nodes.

    OptionPossible Values
    CRYPTO_KEY_CIPHERaes-xts-plain, aes-xts-plain64, aes-cbc-plain, aes-cbc-plain64, aes-cbc-essiv:sha256
    CRYPTO_KEY_HASHsha256, sha384, sha512
    CRYPTO_KEY_SIZE256, 384, 512
    CRYPTO_PBKDFargon2i, argon2id, pbkdf2

    You can create a secret in the system namespace using kubectl or the Harvester UI (Edit as YAML feature). Resources in the system namespace are not displayed on the Harvester UI Secrets screen.

Encrypted Volumes

You can create an encrypted volume using an encrypted StorageClass on the following UI locations:

  • Volumes: Create screen

    create-empty-volume

  • Volumes tab on the Virtual Machine: Create screen

    create-empty-volume

Advanced Usage with Rancher Integration

The secret is an unencrypted Base64-encoded string. To keep the secret safe, you can use projects and namespaces to isolate permissions. For more information, see Multi-Tenancy.

Limitations

You cannot perform the following actions:

  • Export a new volume from an encrypted volume
  • Restore an encrypted volume to an unencrypted volume
  • Restore an unencrypted volume to an encrypted volume