Setup secret in Vault for portworx volume encryption (Encrypt Portworx Volumes with HashiCorp Vault) | [Token Method]

Setup secret in Vault for Portworx Volume Encryption

Prerequisites :
Follow the steps to setup Vault and ready your Portworx Cluster to use Vault as secrets provider. Vault

  1. On the Vault UI, under Secrets select Enable a new engine +

  2. Select KV and select Next

  1. Under Path and Keep Version as 2 and select Enable Engine
    Lets say you want to give Portworx access to specific Path under kv/portworx/alpha where secrets will be stored.

  1. Create the Secret under the Path kv/portworx/alpha say test-secret OR pxvolsecret and give the Key-Values for this secret for example foo & mysecret given below:-

  1. Create a secret named px-vault in Kubernetes, containing details of the Vault server, Token, Backend Path (kv/portworx/alpha) in base64 format as follows:-

echo -n https://70.0.0.1:8200 | base64
echo -n abcd123456789123456 | base64
echo -n kv/portworx/alpha | base64

apiVersion: v1
kind: Secret
metadata:
  name: px-vault
  namespace: kube-system
type: Opaque
data: 
  VAULT_ADDR: aHR0cDovLzcwLjAuNzEuMTE6ODIwMA== 
  VAULT_TOKEN: cy54MjF5d3VGY1Y4OGlHeFRTejh1QzVPNE8=
  VAULT_BACKEND_PATH: a3YvcG9ydHdvcngvYWxwaGE=
  1. If the Portworx Daemonset is already configured to use the vault, we just need to restart portworx service.

kubectl label nodes --all px/service=restart

  1. This will restart Portworx on all the nodes and makes all the node aware of the Vault credentials stored in Kubernetes secret px-vault

  2. Create a secure volume using the secret stored in the vault directly or via kubernetes object as follows:

Per key encrypted volumes can be created as follows:-

/opt/pwx/bin/pxctl volume create --secure --secret_key test-secret securevolume1

Cluster-wide Key encrypted volumes require you to first set the vault secret as cluster-wide key and then create the secure/encrypted volumes directly without mentioning the key

/opt/pwx/bin/pxctl secrets set-cluster-key --secret test-secret
/opt/pwx/bin/pxctl volume create --secure securevolume2

For Kubernetes object method, please refer to link Encrypting Kubernetes PVCs with Vault

1 Like