mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
doc: add implementation details
Update the emcrypted PVC implementation doc with references to the new EncryptedKMS, DEKStore and VolumeEncryption types. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
c5f00a9e3d
commit
22ee7c0de5
@ -127,3 +127,20 @@ data:
|
||||
metadata:
|
||||
name: ceph-csi-encryption-kms-config
|
||||
```
|
||||
|
||||
### Implementation Details
|
||||
|
||||
The main components that are used to support encrypted volumes:
|
||||
|
||||
1. the `EncryptionKMS` interface
|
||||
* an instance is configured per volume object (`rbdVolume.KMS`)
|
||||
* used to authenticate with a master key or token
|
||||
* can store the KEK (Key-Encryption-Key) for encrypting and decrypting the
|
||||
DEKs (Data-Encryption-Key)
|
||||
1. the `DEKStore` interface
|
||||
* saves and fetches the DEK (Data-Encryption-Key)
|
||||
* can be provided by a KMS, or by other components (like `rbdVolume`)
|
||||
1. the `VolumeEncryption` type
|
||||
* combines `EncryptionKMS` and `DEKStore` into a single place
|
||||
* easy to configure from other components or subsystems
|
||||
* provides a simple API for all KMS operations
|
||||
|
Loading…
Reference in New Issue
Block a user