How to convert non-encrypted portworx volumes to encrypted (secure) volumes

Portworx Volumes
1

While there is no direct way to convert a Portworx Volume to an Encrypted Portworx Volume, you can create a new StorageClass with secure parameter and point your existing application to use the new StorageClass that will create new encrypted Portworx Volumes dynamically.

You can follow the steps below for new or existing applications:-

1. Identify the PVC and StorageClass used by the application workloads.

kubectl -n mysqlns describe pod <application-pod-id> | grep -i "ClaimName" | awk '{print $2}'

kubectl -n mysqlns describe pvc <pvc-id> | grep -v STORAGECLASS | awk '{print $6}

2. Copy the existing StorageClass definition to a new StorageClass with Encryption.

kubectl -n mysqlns get storageclass mysql-sc -o yaml > mysql-secure-sc.yaml

3. Edit and Apply the new storageclass definition with the secure parameter set to true ( Refer : https://docs.portworx.com/key-management/aws-kms/pvc-enc )

name: mysql-secure-sc

parameters:
  secure: "true"

kubectl -n mysqlns apply -f mysql-sc-secure.yaml

  • The above steps will create a new PVC in bound state.

kubectl -n mysqlns get pvc mysql-secure-pvc

  • Find the Portworx equivalent volume-id as follows:-

pxctl volume list | grep <pvc-id>

4. Import the data from non-encrypted volume to encrypted one using pxctl volume import command. e.g.

  • Use the mount command to find out where the existing volume is mounted.

mount | grep <Portworx-Volume-ID>

  • Then import all the data from the existing mount point to the new encrypted volume.

pxctl volume import —src /var/lib/kubelet/pods/93d1dfdf-95d7-4217-9594-f8c789908ba1/volumes/kubernetes.io~portworx-volume/pvc-b2dd7ac7-04ad-48f4-a7eb-31e936b46acc <Portworx-Volume-ID>

Path mentioned here in --src option is the absolute path where the original non-encrypted volume is mounted, followed by volume ID of the encrypted volume.

5. Bring down application workload by reducing the replica to 0.

kubectl -n mysqlns scale deployment/mysql-deployment --replicas=0
OR
kubectl -n mysqlns edit deployment mysql-deployment

replicas : 0

  • Further edit and save the application deployment to use the new encrypted PVC

6. Increase application deployment replicas back to original.

kubectl -n mysqlns scale deployment/mysql-deployment --replicas=3

7. The application should now start with new encrypted portworx volumes with existing data.