Support Volume Encryption

[kekoav]

Feature Request

Support volume encryption for LKE clusters via the CSI driver.

Reasoning

Data encryption is critical for ensuring the security of data at rest for any system. Volume encryption is a simple method to ensure all data is protected if physical security of the hardware is ever compromised. Encryption is now a standard feature of modern clouds, and it is required for PCI-DSS compliance and other security standards.

Other Solutions

Other cloud providers provide volume encryption as an option within the StorageClass.

• AWS provides StorageClass option
• IBM Cloud provides StorageClass option
• DigitalOcean encrypts with LUKS by default
• Google Cloud encrypts by default and manages keys, but also provides the option for customers to manage keys

Proposed Solution

I propose a solution which enables encryption simply via the StorageClass definition using Linode-managed keys for simplicity for the users, but also allows for unencrypted volumes for use cases where users do not need encryption.

Example StorageClass With encrypted Attribute

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    lke.linode.com/caplke-version: v1.x
  name: linode-block-storage-encrypted
allowVolumeExpansion: true
encrypted: true
provisioner: linodebs.csi.linode.com
reclaimPolicy: Delete
volumeBindingMode: Immediate

Implementation Ideas

The simplest way seems to be with LUKS support similar to DigitalOcean. Key management is going to be important, and how they are managed should be transparent to users. The security of these keys requires some type of KMS.

[xxated]

I would find that extremely useful as well!