ceph-csi/docs/design/proposals/encryption-with-azure-keyvault.md
Praveen M b2087e4517 doc: added docs for Azure KMS
Signed-off-by: Praveen M <m.praveen@ibm.com>
2024-03-13 14:46:41 +00:00

2.0 KiB

Encrypted volumes with Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

Connection to Azure Key Vault

Below values are used to establish the connection to the Key Vault service from the CSI driver and to make use of the secrets GetSecret/SetSecret/DeleteSecret operations:

* AZURE_VAULT_URL
The URL used to access the Azure Key Vault service.

* AZURE_CLIENT_ID
The Client ID of the Azure application object (also known as the service principal).
This ID serves as the username.

* AZURE_TENANT_ID
The Tenant ID associated with the service principal.

* CLIENT_CERT
The client certificate (which includes the private key and is not password protected)
used for authentication with Azure Key Vault.

Values provided in the connection secret

Considering AZURE_CLIENT_CERTIFICATE is sensitive information, it will be provided as a Kubernetes secret to the Ceph-CSI driver. The Ceph-CSI KMS plugin interface for the Azure key vault will read the secret name from the kms configMap and fetch the certificate.

Values provided in the config map

AZURE_VAULT_URL, AZURE_CLIENT_ID, AZURE_TENANT_ID are part of the KMS ConfigMap.

Storage class values or configuration

The Storage class has to be enabled for encryption and encryptionKMSID has to be provided which is the matching value in the kms config map.

Volume Encrypt or Decrypt Operation

Ceph-CSI generate's unique passphrase for each volume to be used to encrypt/decrypt. The passphrase is securely store in Azure key vault using the SetSecret operation. At time of decrypt the passphrase is retrieved from the key vault using the GetSecretoperation.

Volume Delete Operation

When the corresponding volume is deleted, the stored secret in the Azure Key Vault will be deleted.

Note: Ceph-CSI solely deletes the secret without permanent removal (purging).