2.0 KiB
Encrypted volumes with Azure Key Vault
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Connection to Azure Key Vault
Below values are used to establish the connection to the Key Vault
service from the CSI driver and to make use of the secrets
GetSecret/SetSecret/DeleteSecret operations:
* AZURE_VAULT_URL
The URL used to access the Azure Key Vault service.
* AZURE_CLIENT_ID
The Client ID of the Azure application object (also known as the service principal).
This ID serves as the username.
* AZURE_TENANT_ID
The Tenant ID associated with the service principal.
* CLIENT_CERT
The client certificate (which includes the private key and is not password protected)
used for authentication with Azure Key Vault.
Values provided in the connection secret
Considering AZURE_CLIENT_CERTIFICATE is sensitive information,
it will be provided as a Kubernetes secret to the Ceph-CSI driver. The Ceph-CSI
KMS plugin interface for the Azure key vault will read the secret name from the
kms configMap and fetch the certificate.
Values provided in the config map
AZURE_VAULT_URL, AZURE_CLIENT_ID, AZURE_TENANT_ID are part of the
KMS ConfigMap.
Storage class values or configuration
The Storage class has to be enabled for encryption and encryptionKMSID has
to be provided which is the matching value in the kms config map.
Volume Encrypt or Decrypt Operation
Ceph-CSI generate's unique passphrase for each volume to be used to
encrypt/decrypt. The passphrase is securely store in Azure key vault
using the SetSecret operation. At time of decrypt the passphrase is
retrieved from the key vault using the GetSecretoperation.
Volume Delete Operation
When the corresponding volume is deleted, the stored secret in the Azure Key Vault will be deleted.
Note: Ceph-CSI solely deletes the secret without permanent removal (purging).