Dell Container Storage Modules (CSM) 1.5 – Encryption

A guest post by
Anuraj PD

The Dell CSM Encryption module provides the capability to encrypt user data on the volumes provisioned by CSI drivers. The volume data is encrypted on the Kubernetes worker host running the application workload, transparently for the application. Under the hood, gocryptfs, an open-source FUSE based encryptor, is used to encrypt both files content and the names of files and directories. Currently, the encryption module is in tech preview and supports only the PowerScale array. In this demo we are using an OpenShift Cluster integrated with PowerScale using CSI driver to provision the encrypted volumes. The CSM encryption can be enabled via the installation of the CSI driver. CSM Encryption module requires and external hashicorp vault server for keeping the keys. In this demo, we are also running the vault server on the same cluster.

With CSM Encryption module enabled we will have one additional provisioner than the normal provisioner, for creating the encrypted volumes. The name of the provisioner for encrypted volumes is configurable and the default name is sec-isilon.dellemc.com. We can create storage classes which uses these provisioners to create encrypted volumes or unencrypted volumes as required. So, it is possible to have a mix and match of encrypted volumes and unencrypted volumes in the same cluster depending on the storage class used to create the PVC.

We will create two storage classes; one will use the provisioner for unencrypted volumes and the other will use the provisioner for encrypted volumes. Both storage classes will use the same base path, so both the encrypted csi volume and the unencrypted csi volume will be created inside the same path. Now depending on the storage class used in the PVC, we can provision encrypted or unencrypted volumes from the PowerScale.

Create two PVC, one with the storage class for encrypted volume and another with the storage class for unencrypted volume and will mount these PVC in two different pods.

We will use a simple busybox pod to write some data to both these volumes. Below is the snippet of the pod spec which is writing some data to the PV provisioned from PowerScale.

Now both the pods are running, these pods will be writing the data to PV provisioned from PowerScale and one will be encrypted, and the other will not be encrypted. We can export the base path of the PV from the PowerScale and mount inside our management machine. Then we will be able to list the content of the PV used by these pods.

Now we can go inside the unencrypted volume and will be able to read the content inside the volume. But in the encrypted PVC we are not able to see the file written by the Pod.

You can see a demo, of how it all works, below