Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-85

LVM Storage encryption at rest

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • 32
    • 32% 32%
    • L
    • 0
    • 0
    • While this one might need not TE (its hard to say); I am marking it for now; as we still have work to do with KMS that customers may have questions about.

      Feature Overview (aka. Goal Summary)  

      Support data encryption at rest with LVM Storage by leveraging LVM mechanisms. 

      Goals (aka. expected user outcomes)

      Provide a way to encrypt data being stored on PVs provided by LVM Storage so that the customer data is protected against theft of the device. 

      Requirements (aka. Acceptance Criteria):

      • Provide a basic encrypt at rest capability using LVM / LUKS.
      • Store the encryption key in a k8s secret.
      • Unattended unlocking
      • Encryption at storage/node layer (i.e. the VG) is good enough. Encryption at the PV / PVC layer might also be an option.
      • AI integration (e.g. provide a checkbox "Encrypt storage" as it provides for OS disk.

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      As an administrator, I want to use encryption at rest on my SNO clusters, so that I can sleep well if a disk is stolen from an edge device. 

      Questions to Answer (Optional):

      1. What can we reuse (patterns, mechanisms) from existing solutions (e.g. OCP full disk encryption of the OS disk, or ODF encryption). A: We can re-use the mechanism used in Ceph, i.e. provide encryption at rest using LUKS with an encryption passphrase stored in a k8s secret. 
      2. Where do we store the encryption keys?
        A: In a k8s secret. We can extend it to any KMS system by implementing an interface at a later release.

      Out of Scope

      • key recovery procedures
      • key rotation / replacement procedures 

      Background

      Every storage solution should provide encryption capabilities.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      Should be simple to configure and use.

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

            dfroehli42rh Daniel Fröhlich
            dfroehli42rh Daniel Fröhlich
            Gregory Giguashvili
            Suleyman Akbas Suleyman Akbas
            Mike Fiedler Mike Fiedler
            Avital Pinnick Avital Pinnick
            Chad Scribner Chad Scribner
            Suleyman Akbas Suleyman Akbas
            Daniel Fröhlich Daniel Fröhlich
            Eric Rich Eric Rich
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: