-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(image and volume): add how to encrypr/decrypt image and volume
Signed-off-by: Jack Yu <jack.yu@suse.com>
- Loading branch information
Showing
15 changed files
with
261 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "position": 10, | ||
| "label": "Image Management", | ||
| "collapsible": true, | ||
| "collapsed": true | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| --- | ||
| id: image-security | ||
| sidebar_position: 2 | ||
| sidebar_label: Image Security | ||
| title: "Image Security" | ||
| keywords: | ||
| - Harvester | ||
| - harvester | ||
| - Rancher | ||
| - rancher | ||
| - Image Security | ||
| --- | ||
|
|
||
| _Available as of v1.4.0_ | ||
|
|
||
| Starting with v1.4.0 Harvester allows you to encrypt and decrypt virtual machine image. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup. | ||
|
|
||
| ## Prerequisite | ||
|
|
||
| Before encrypting or decrypting the virtual machine image, we need to prepare following resources: | ||
|
|
||
| - source virtual machine image | ||
| - secret | ||
| - storage class | ||
|
|
||
| ### Source Virtual Machine Image | ||
|
|
||
| Please follow [Upload Images](./upload-image) to create an image. | ||
|
|
||
| :::info important | ||
| Harvester doesn't support uploading an encrypted image | ||
| ::: | ||
|
|
||
| ### Secret | ||
|
|
||
| We use this secret as passphrase of dm_crypt. You need to customize the value of `CRYPTO_KEY_VALUE` field. Other fields are fixed. | ||
|
|
||
|  | ||
|
|
||
| Example Secret: | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: encryption | ||
| namespace: default | ||
| data: | ||
| CRYPTO_KEY_CIPHER: aes-xts-plain64 | ||
| CRYPTO_KEY_HASH: sha256 | ||
| CRYPTO_KEY_PROVIDER: secret | ||
| CRYPTO_KEY_SIZE: 256 | ||
| CRYPTO_KEY_VALUE: "Your encryption passphrase" | ||
| CRYPTO_PBKDF: argon2i | ||
| ``` | ||
| :::info important | ||
| If you'd like to create secret in the system namespace, you can use Edit as YAML or kubectl to create the secret. On the Harvester Secrets page, Harvester does not display resources in the system namespace. | ||
| ::: | ||
| ### Storage Class | ||
| Since Harvesters uses Longhorn to encrypt image, we need to pass required fields to Longhorn CSI driver. You can select encryption used secret when creating storage class. If you're interested in this, please check [here](./upload-image#image-storageclass) for more details. | ||
|  | ||
| Example Storage Class: | ||
| ```yaml | ||
| allowVolumeExpansion: true | ||
| apiVersion: storage.k8s.io/v1 | ||
| kind: StorageClass | ||
| metadata: | ||
| name: encryption | ||
| parameters: | ||
| csi.storage.k8s.io/node-publish-secret-name: encryption | ||
| csi.storage.k8s.io/node-publish-secret-namespace: default | ||
| csi.storage.k8s.io/node-stage-secret-name: encryption | ||
| csi.storage.k8s.io/node-stage-secret-namespace: default | ||
| csi.storage.k8s.io/provisioner-secret-name: encryption | ||
| csi.storage.k8s.io/provisioner-secret-namespace: default | ||
| encrypted: "true" | ||
| migratable: "true" | ||
| numberOfReplicas: "3" | ||
| staleReplicaTimeout: "2880" | ||
| provisioner: driver.longhorn.io | ||
| reclaimPolicy: Delete | ||
| volumeBindingMode: Immediate | ||
| ``` | ||
| :::info important | ||
| If you'd like to select secret in the system namespace. You can use Edit as YAML or kubectl to create the secret. On the Harvester Secrets page, Harvester does not display resources in the system namespace. | ||
| ::: | ||
| ## Encrypt Image | ||
| After getting a source image, please select `Ecnrypt` to encrypt virtual machine image. | ||
|
|
||
|  | ||
|
|
||
| Select a previously created storage class. This storage class must include encryption-related fields. Harvester will pass this storage class to Longhorn. | ||
|
|
||
|  | ||
|
|
||
| ## Decrypt Image | ||
|
|
||
| After getting a encrypted image, please select `Decrypt` to decrypt an encrypted virtual machine image. | ||
|
|
||
|  | ||
|
|
||
| Select the default or a commonly used storage class. Harvester will use the storage class from the source virtual machine image that you want to decrypt. | ||
|
|
||
|  | ||
|
|
||
| ## Use Image | ||
|
|
||
| Select the image when creating virtual machine image. | ||
|
|
||
|  | ||
|
|
||
| There are three cases in which the dashboard shows different messages on the virtual machine image page. | ||
|
|
||
| 1. Encrypted Image | ||
|  | ||
| 2. Encrypted Data Volume | ||
|  | ||
| 3. Encrypted Image and Data Volume | ||
|  | ||
|
|
||
|
|
||
| ## Advanced Usage with Rancher Integration | ||
|
|
||
| ### Prevent other users from reading the secret | ||
|
|
||
| Since the secret is a base64 encoded string, it's not really encrypted. So, admin might want keep this secret safe. With Rancher Integration, we can use project and namespace to isolate permission. Please check [Multi-Tenancy](../rancher/virtualization-management#multi-tenancy) for more detail. | ||
|
|
||
| ## Limitations | ||
|
|
||
| - Don't support that export to image from encrypted image. | ||
| - Don't support that download encrypted image and upload it to reuse. | ||
| - Don't support that upload an encrypted image. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| --- | ||
| sidebar_position: 6 | ||
| sidebar_label: Volume Security | ||
| title: "Volume Security" | ||
| keywords: | ||
| - Volume Security | ||
| - Image Security | ||
| --- | ||
|
|
||
| _Available as of v1.4.0_ | ||
|
|
||
| Starting with v1.4.0 Harvester allows you to encrypt and decrypt volume. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup. | ||
|
|
||
| ## Prerequisite | ||
|
|
||
| Before encrypting volumes, we need to prepare following resources: | ||
|
|
||
| - secret | ||
| - storage class | ||
|
|
||
| ### Secret | ||
|
|
||
| We use this secret as passphrase of dm_crypt. You need to customize the value of `CRYPTO_KEY_VALUE` field. Other fields are fixed. | ||
|
|
||
|  | ||
|
|
||
| Example Secret: | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: encryption | ||
| namespace: default | ||
| data: | ||
| CRYPTO_KEY_CIPHER: aes-xts-plain64 | ||
| CRYPTO_KEY_HASH: sha256 | ||
| CRYPTO_KEY_PROVIDER: secret | ||
| CRYPTO_KEY_SIZE: 256 | ||
| CRYPTO_KEY_VALUE: "Your encryption passphrase" | ||
| CRYPTO_PBKDF: argon2i | ||
| ``` | ||
| :::info important | ||
| If you'd like to create secret in the system namespace, you can use Edit as YAML or kubectl to create the secret. On the Harvester Secrets page, Harvester does not display resources in the system namespace. | ||
| ::: | ||
| ### Storage Class | ||
| Since Harvesters uses Longhorn to encrypt volume, we need to pass required fields to Longhorn CSI driver. | ||
|  | ||
| Example Storage Class: | ||
| ```yaml | ||
| allowVolumeExpansion: true | ||
| apiVersion: storage.k8s.io/v1 | ||
| kind: StorageClass | ||
| metadata: | ||
| name: encryption | ||
| parameters: | ||
| csi.storage.k8s.io/node-publish-secret-name: encryption | ||
| csi.storage.k8s.io/node-publish-secret-namespace: default | ||
| csi.storage.k8s.io/node-stage-secret-name: encryption | ||
| csi.storage.k8s.io/node-stage-secret-namespace: default | ||
| csi.storage.k8s.io/provisioner-secret-name: encryption | ||
| csi.storage.k8s.io/provisioner-secret-namespace: default | ||
| encrypted: "true" | ||
| migratable: "true" | ||
| numberOfReplicas: "3" | ||
| staleReplicaTimeout: "2880" | ||
| provisioner: driver.longhorn.io | ||
| reclaimPolicy: Delete | ||
| volumeBindingMode: Immediate | ||
| ``` | ||
| :::info important | ||
| If you'd like to select secret in the system namespace. You can use Edit as YAML or kubectl to create the secret. On the Harvester Secrets page, Harvester does not display resources in the system namespace. | ||
| ::: | ||
| ## Encrypt Volume | ||
| There are two ways to create an encrypted volume. In either case, be sure to select an encrypted storage class. | ||
| ### In Volumes Tabs | ||
|  | ||
| ### In Images Tab | ||
| When creating a virtual machine image, you can add a volume by clicking the `Add Volume button` in the Volumes tab on the virtual machine image page. | ||
|
|
||
|  | ||
|
|
||
| ## Advanced Usage with Rancher Integration | ||
|
|
||
| ### Prevent other users from reading the secret | ||
|
|
||
| Since the secret is a base64 encoded string, it's not really encrypted. So, admin might want keep this secret safe. With Rancher Integration, we can use project and namespace to isolate permission. Please check [Multi-Tenancy](../rancher/virtualization-management#multi-tenancy) for more detail. | ||
|
|
||
| ## Limitations | ||
|
|
||
| - Don't support that export to image from encrypted volumes. | ||
| - Don't support that data volume restoring from encrypted to unencrypted or unencrypted to encrypted one. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.