displague
commented
1 year ago Would this resolve #63?
Closed kitknox closed 1 year ago
displague
commented
1 year ago Would this resolve #63?
kitknox
commented
1 year ago That specifically proposes a case where Linode holds/manages the encryption keys. This implementation has the customer holding the keys which is both a pro and a con for different customers. We can't open a customers data when we don't have the key, but a customer now has to own keeping that key secure if they manage it.
frenchtoasters
commented
1 year ago Thanks for adding this feature @kitknox would you also be able to add updated tests to this PR for this new feature?
mfechtner
commented
1 year ago Hi, appreciate your efforts, any plans to make this usable soon? @frenchtoasters @kitknox
luthermonson
commented
1 year ago
New functionality adding the ability to encrypt a PVC with a user owned secret provides an additional security layer that gives control of the data to the cluster owner instead of the platform provider. Secret management is out of the scope of the CSI driver itself and currently expects a native Kubernetes secret as the source for a given volume.
This new functionality is skipped if the optional luks-encrypted: "true" is not present for the StorageClass. You can have a mix of StorageClasses with and without LUKS enabled.
Tested on various LKE and non-LKE clusters with Linode CCM and CSI driver installed.