rbd: implement the DEKStore interface

To accommodate storing DEKs outside a KMS, the DEK can be stored in the metadata of the volume. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-12-18 02:50:30 +00:00 · 2021-02-17 16:55:06 +01:00 · 2021-02-17 16:55:06 +01:00 · e4431edaf9
commit e4431edaf9
parent 9ac7f56400
1 changed files with 32 additions and 0 deletions
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@ -54,6 +54,10 @@ const (

 	// image metadata key for encryption
 	encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
+
+	// metadataDEK is the key in the image metadata where the (encrypted)
+	// DEK is stored.
+	metadataDEK = ".rbd.csi.ceph.com/dek"
 )

 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
@ -206,3 +210,31 @@ func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {

 	return nil
 }
+
+// StoreDEK saves the DEK in the metadata, overwrites any existing contents.
+func (rv *rbdVolume) StoreDEK(volumeID, dek string) error {
+	if rv.VolID != volumeID {
+		return fmt.Errorf("volume %q can not store DEK for %q", rv.String(), volumeID)
+	}
+
+	return rv.SetMetadata(metadataDEK, dek)
+}
+
+// FetchDEK reads the DEK from the image metadata.
+func (rv *rbdVolume) FetchDEK(volumeID string) (string, error) {
+	if rv.VolID != volumeID {
+		return "", fmt.Errorf("volume %q can not fetch DEK for %q", rv.String(), volumeID)
+	}
+
+	return rv.GetMetadata(metadataDEK)
+}
+
+// RemoveDEK does not need to remove the DEK from the metadata, the image is
+// most likely getting removed.
+func (rv *rbdVolume) RemoveDEK(volumeID string) error {
+	if rv.VolID != volumeID {
+		return fmt.Errorf("volume %q can not remove DEK for %q", rv.String(), volumeID)
+	}
+
+	return nil
+}