Enabling Disk Encryption

./grainite/scripts/bin/gcp-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

./grainite/scripts/bin/aws-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

./grainite/scripts/bin/azure-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

The scripts used in this guide are the same as those downloaded at the beginning of the cluster deployment pages for AWS and GCP.

Run the following command to enable AES 256 disk encryption for your cluster, from where the cluster VPC is accessible:

Caution: Enabling encryption will delete all existing data. It will then set up the cluster for encryption on disk and will automatically restart the cluster.

./grainite/scripts/bin/gcp-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

./grainite/scripts/bin/aws-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

./grainite/scripts/bin/azure-grainite cluster-enable-disk-encryption -h

enable-disk-encryption: Enables disk encryption in the current grainite
cluster returned by cluster-current

Usage:
    enable-disk-encryption

Envs:
    GXS_CERTS_KEYS_DIR:
        Default GXS_CERTS_KEYS_DIR=${HOME}/.gxscerts/

        For secure setup of grainite cluster and enabling disk encryption
        you need to export this env.  The CA CERTS, client certs and
        encryption KEYS will be generated under

            ${GXS_CERTS_KEYS_DIR}/<cluster-name>/{cacerts/, client/,
            keys/}

enable-disk-encryption generates a master key and a data encryption key for you**.** The master key encrypts the data encryption key which encrypts the data on disk. If you'd like to provide your own master key via a key management system, please see the next section.

Bring Your Own Key (BYOK) Encryption

At the moment, this BYOK encryption is only supported for GKE clusters created in GCP and AKS clusters created in Azure.

Prerequisites for setting up encryption at rest

You must set up the following before setting up encryption at rest with a master key provided via Google Cloud KMS:

Key Ring in the same region as the cluster
Key to be used as master key, created in the above Key Ring
Service Account that has permissions to use kms-encryption/kms-decryption for the cluster.
- At a minimum the Service Account should have the following roles: roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.viewer (see KMS Permissions and Roles)

To create a new cluster with encryption at rest

You can use the following command to create a brand new cluster with encryption at rest enabled:

gcp-grainite cluster-create-secure <cluster-name> -e -x <service_account> -y <key-ring> -z <key-name>

To enable encryption at rest for a cluster that is already created

You can use the following command to enable encryption at rest. (Please note this step will remove all the existing data on the cluster)

gcp-grainite cluster_enable_disk_encryption_with_kms <cluster_name> -x <service_account> -y <key_ring> -z <key_name>

Prerequisites for setting up encryption at rest

You must set up the following before setting up encryption at rest with a master key provided via the Azure Key Vault:

A Key Vault
A Key created (of type RSA) in the above Key Vault
- Note: To create/manage Keys in the Key Vault, the user account needs to be given permissions via the Key Vault's Access Policies by an administrator.
A user-assigned Managed Identity which has read permissions to access the keys in the above Key Vault
- To set the right permissions in the Azure portal: After creating a managed identity, you can grant it access to your Key Vault by adding an Access Policy to your Key Vault. From your Key Vault in the Portal, go to Access policies >> Create. Then select the Get permission under "Key Management Operations" and Select All permissions under "Cryptographic Operations". Hit Next, then under Principal, search for the Managed Identity you just created and select it. Then, go to Review + Create your access policy to finish granting access.
- To set the right permissions with the Azure CLI:
```
export IDENTITY_OBJECT_ID=$(az identity show --name <managed identity name> --resource-group <resource group name> --query 'principalId' -o tsv)
az keyvault set-policy -n aks-clusters-kv1 --key-permissions decrypt encrypt get sign unwrapKey verify wrapKey --object-id $IDENTITY_OBJECT_ID
```

To create a new cluster with encryption at rest

You can use the following command to create a brand new cluster with encryption at rest enabled:

azure-grainite cluster-create-secure <cluster-name> -e -x <user_assigned_identity_name> -y <key_vault_name> -z <key_name>

To enable encryption at rest for a cluster that is already created

You can use the following command to enable encryption at rest. (Please note this step will remove all the existing data on the cluster)

azure-grainite cluster-enable-disk-encryption-with-kms <cluster_name> -x <user_assigned_identity_name> -y <key_vault_name> -z <key_name>

PreviousEnabling TLS (pre-2323.1)NextRole Based Access Control

Last updated 9 months ago