Encrypted Block Volumes

[JacquesMrz]

As a user I want to be able to encrypt my block volumes.

[scndel]

A must which would facilitate the fulfillment of some of our requirements, as far as the scope includes volumes (block storage) for OVH Managed *Kubernetes* and uses server-side encryption with customer-provided encryption, like available now on OVH Object Storage (S3).

[biapar]

Can I have more info about encryption on OVH Object Storage (S3)? Thanks.

[JohannesHeld]

Customized encryption of data at rest is an important feature. Especially for potential customers from the financial sector.

[JacquesMrz]

Can I have more info about encryption on OVH Object Storage (S3)? Thanks.

Hi @biapar , here is the guide about Encryption on S3 Object Storage in OVHcloud: https://docs.ovh.com/ie/en/storage/object-storage/s3/encrypt-your-objects-with-sse-c/

[biapar]

Can I have more info about encryption on OVH Object Storage (S3)? Thanks.

Hi @biapar , here is the guide about Encryption on S3 Object Storage in OVHcloud.

Where?

[scndel]

Hi, any update on the topic ? It's a real requirement from some customers.

[igorrenquin]

Hi,

• Is this feature including : O.S. instances drive encryption?
• setting the encryption will be including in the terraform provider?

[ghost]

Hi,

Any update on the topic ?

[MrOffline77]

Push - Want to see this in K8S 👍

[scndel]

Hi @JacquesMrz , it impacts our own roadmap so it'd be also nice to know that you will NOT implement it within next months (therefore we'll unfortunately aim towards another encryption solution).

[MrOffline77]

In the Openstack world there is Cinder Barbican to provide encryption at rest (LUKS) for Cinder volumes. As an MKS customer, I would like to be able to use transparent encryption at rest on a PV. For example via a specific annotation on the PVC. We solve the issue so far by running a Ceph cluster ourselves in the cluster which runs on the PV of the MKS. We then work with transparent OSD encryption and create our own storage class. In doing so, we lose approx. 50% of the IOPS.

As a transitional solution, it would help if MKS had the high-speed GEN2 storage available in order to have more IOPS available.

[julienkosinski]

Hi @JacquesMrz , it impacts our own roadmap so it'd be also nice to know that you will NOT implement it within next months (therefore we'll unfortunately aim towards another encryption solution).

If I read the roadmap correctly, it looks like it should be implemented more or less between July and October 2024 :).

[biapar]

Hi Julie Which Solution Do you use? @Ovh: Why this delay?

[julienkosinski]

@biapar Well, as of now, unencrypted volumes...

[biapar]

Nooo… I made a custom enc solution in c#. On the server I use a private key to enc the file and after I save on the blob. After I decrypt to read.

[julienkosinski]

@biapar Nice! :) In this regard, depending on your use case, you might be interested in SOPS (but I advise waiting until SOPS have a clearer release cycle, which should be explained soon). The most sensitive data I have to store are on the OVH Object Storage which has a built-in encryption option. So I think to wait on OVH encryption for the Block part.

[MrOffline77]

Feel free to reach out to me for support in setting up rook with encryption at rest at OVH MKS. We are happy to assist you.

[julienkosinski]

Thank you! :)