Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-85

LVM Storage encryption at rest

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • L
    • None
    • Enhancement
    • LVMS now supports encryption at rest by using encrypted devices.

      Feature Overview (aka. Goal Summary)  

      Support data encryption at rest with LVM Storage by leveraging LVM mechanisms. 

      Goals (aka. expected user outcomes)

      Provide a way to encrypt data being stored on PVs provided by LVM Storage so that the customer data is protected against theft of the device. 

      Requirements (aka. Acceptance Criteria):

      • Provide a basic encrypt at rest capability using LVM / LUKS.
      • Store the encryption key in a k8s secret.
      • Unattended unlocking
      • Encryption at storage/node layer (i.e. the VG) is good enough. Encryption at the PV / PVC layer might also be an option.
      • AI integration (e.g. provide a checkbox "Encrypt storage" as it provides for OS disk.

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      As an administrator, I want to use encryption at rest on my SNO clusters, so that I can sleep well if a disk is stolen from an edge device. 

      Questions to Answer (Optional):

      1. What can we reuse (patterns, mechanisms) from existing solutions (e.g. OCP full disk encryption of the OS disk, or ODF encryption). A: We can re-use the mechanism used in Ceph, i.e. provide encryption at rest using LUKS with an encryption passphrase stored in a k8s secret. 
      2. Where do we store the encryption keys?
        A: In a k8s secret. We can extend it to any KMS system by implementing an interface at a later release.

      Out of Scope

      • key recovery procedures
      • key rotation / replacement procedures 

      Background

      Every storage solution should provide encryption capabilities.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      Should be simple to configure and use.

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

              dfroehli42rh Daniel Fröhlich
              dfroehli42rh Daniel Fröhlich
              None
              Gregory Giguashvili
              Chad Scribner Chad Scribner
              Suleyman Akbas Suleyman Akbas
              Mike Fiedler Mike Fiedler
              Avital Pinnick Avital Pinnick
              Eric Rich Eric Rich
              Suleyman Akbas Suleyman Akbas
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: