Goal:

As an administrator, I would like to deploy OpenShift 4 on Microsoft Azure with VM disk encryption leveraging a user-managed encryption key.

Problem:

Many organizations require disks to be encrypted on their application nodes using a pre-defined, user-managed key. Today, OpenShift only supports encryption at rest with platform managed keys using Azure's Server-Side Encryption service,  but we do not support the use of DiskEncryptionSets with user-managed keys.

OpenShift should be able to handle three scenarios:

1. Deploy OpenShift VM's with SSE enabled using platform-managed keys (default)
2. Adopt an existing, user-managed DiskEncryptionSet + Key Vault associated with a specific RG prior to installing the cluster.

Why is this important:

• Many corporate security policies mandate disk encryption on their application nodes. Without this support, it's blocking the adopt of OpenShift 4 on Azure for many organizations.

Lifecycle Information:

• Core

Previous Work:

• –

Dependencies:

• Machine API (for providing DiskEncryptionSet to newly created nodes)
• Control Plane Node recovery process (so new control plane nodes use the DiskEncryptionSet)

Prioritized epics + deliverables (in scope / not in scope):

• Add Azure install-config option to provide a user-managed DiskEncryptionSet + Key Vault & Key that will be used for VM creation
• Provision and assign RHCOS nodes to the user-managed DiskEncryptionSet
• Document how to configure DiskEncryptionSet + Key Vault & Key on Azure at install time
• Integrate into CI framework for ensuring root volumes are being encrypted with user-managed encryption key at install time

Estimate (XS, S, M, L, XL, XXL): L

Customers:

Open questions: