From e4431edaf9da4cce0f001fd4e440541787523641 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Wed, 17 Feb 2021 16:55:06 +0100
Subject: [PATCH] rbd: implement the DEKStore interface

To accommodate storing DEKs outside a KMS, the DEK can be stored in the
metadata of the volume.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 internal/rbd/encryption.go | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 0767b8884..9f2b4dbfe 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -54,6 +54,10 @@ const (
 
 	// image metadata key for encryption
 	encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
+
+	// metadataDEK is the key in the image metadata where the (encrypted)
+	// DEK is stored.
+	metadataDEK = ".rbd.csi.ceph.com/dek"
 )
 
 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
@@ -206,3 +210,31 @@ func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {
 
 	return nil
 }
+
+// StoreDEK saves the DEK in the metadata, overwrites any existing contents.
+func (rv *rbdVolume) StoreDEK(volumeID, dek string) error {
+	if rv.VolID != volumeID {
+		return fmt.Errorf("volume %q can not store DEK for %q", rv.String(), volumeID)
+	}
+
+	return rv.SetMetadata(metadataDEK, dek)
+}
+
+// FetchDEK reads the DEK from the image metadata.
+func (rv *rbdVolume) FetchDEK(volumeID string) (string, error) {
+	if rv.VolID != volumeID {
+		return "", fmt.Errorf("volume %q can not fetch DEK for %q", rv.String(), volumeID)
+	}
+
+	return rv.GetMetadata(metadataDEK)
+}
+
+// RemoveDEK does not need to remove the DEK from the metadata, the image is
+// most likely getting removed.
+func (rv *rbdVolume) RemoveDEK(volumeID string) error {
+	if rv.VolID != volumeID {
+		return fmt.Errorf("volume %q can not remove DEK for %q", rv.String(), volumeID)
+	}
+
+	return nil
+}