mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 22:30:23 +00:00
doc: add implementation details
Update the emcrypted PVC implementation doc with references to the new EncryptedKMS, DEKStore and VolumeEncryption types. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
c5f00a9e3d
commit
22ee7c0de5
@ -127,3 +127,20 @@ data:
|
|||||||
metadata:
|
metadata:
|
||||||
name: ceph-csi-encryption-kms-config
|
name: ceph-csi-encryption-kms-config
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Implementation Details
|
||||||
|
|
||||||
|
The main components that are used to support encrypted volumes:
|
||||||
|
|
||||||
|
1. the `EncryptionKMS` interface
|
||||||
|
* an instance is configured per volume object (`rbdVolume.KMS`)
|
||||||
|
* used to authenticate with a master key or token
|
||||||
|
* can store the KEK (Key-Encryption-Key) for encrypting and decrypting the
|
||||||
|
DEKs (Data-Encryption-Key)
|
||||||
|
1. the `DEKStore` interface
|
||||||
|
* saves and fetches the DEK (Data-Encryption-Key)
|
||||||
|
* can be provided by a KMS, or by other components (like `rbdVolume`)
|
||||||
|
1. the `VolumeEncryption` type
|
||||||
|
* combines `EncryptionKMS` and `DEKStore` into a single place
|
||||||
|
* easy to configure from other components or subsystems
|
||||||
|
* provides a simple API for all KMS operations
|
||||||
|
Loading…
Reference in New Issue
Block a user