How to encrypt disk volumes - Container Service for Kubernetes

After you enable the disk encryption feature, the system automatically encrypts data transmitted to a disk and decrypts the data when it is read. Disk encryption is suitable for scenarios that require high security or have compliance requirements. You can protect the privacy and autonomy of your data without the need to create and maintain a key management infrastructure. This topic describes how to use the keys that are hosted in Key Management Service (KMS) to encrypt data stored in disk volumes.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is created and the CSI plug-in is deployed in the cluster. For more information, see Create an ACK managed cluster.
Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
If you want to use keys created by using the Bring Your Own Key (BYOK) feature, you must first authorize your ECS instance to access KMS. For more information, see Step 1 (optional): Authorize your ECS instance to access KMS.

Overview

ECS uses the industry-standard AES-256 algorithm to encrypt disks with keys. Encryption keys can be the service keys provided by KMS or your own keys created by using the BYOK feature. Encryption and decryption have minimal impacts on ECS instance performance. The following types of data are encrypted when you create an encrypted disk and attach it to an ECS instance. The data is decrypted when it is read. For more information, see Encrypt a data disk.

Static data stored on the encrypted disk.
Data transmitted between the encrypted disk and the instance, excluding data in the operating system.
Data transmitted from the ECS instance to a backend storage cluster.
All snapshots created from the encrypted disk. These snapshots have the same encryption key as the disk.
All disks created from the encrypted snapshots.

Limits

You can encrypt the following categories of disks: enhanced SSDs, standard SSDs, ultra disks, and basic disks.
You cannot encrypt data in local disks.
You cannot directly convert unencrypted disks into encrypted disks.
You cannot directly convert encrypted disks into unencrypted disks.

Step 1 (optional): Authorize your ECS instance to access KMS

If you want to use keys that are created by using the BYOK feature, you must first authorize your ECS instance to access KMS. To do this, create a Resource Access Management (RAM) role and grant the required permissions to the role. To grant the required permission to a RAM user, perform the following operations:

Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select Alibaba Cloud Service for the Select Trusted Entity parameter and click Next.
Select Normal Service Role for the Role Type parameter.
Enter AliyunECSDiskEncryptDefaultRole in the RAM Role Name field and select Elastic Compute Service as the trusted service.
Click OK and then click Close.
In the left-side navigation pane of the ACK console, choose Grants. Then, click Grant Permission.
On the Grant Permission page, select Alibaba Cloud Account as the authorization scope. Enter AliyunECSDiskEncryptDefaultRole in the Principal field and click the role after it appears.
Select the system policy AliyunKMSFullAccess or create a custom policy named AliyunECSDiskEncryptCustomizedPolicy.
The AliyunKMSFullAccess policy provides full permissions. If you require finer-grained access control, perform the following steps to create a custom policy named AliyunECSDiskEncryptCustomizedPolicy:
1. On the Grant Permission page, click Create Policy to go to the Create Policy page.
2. On the Create Policy page, click the JSON tab and enter the following policy content in the code editor.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt",
                "kms:TagResource"
            ],
            "Resource": "*"
        }
    ]
}
```
3. Click Next to edit policy information, enter AliyunECSDiskEncryptCustomizedPolicy in the Name field, and then click OK.
Click OK. Then, click Complete.

Step 2: Configure disk volume encryption

You can enable disk encryption only when you create a disk. When you mount or unmount a disk, no encryption-related operations are involved.

Create a StorageClass.
1. Create a file named sc-kms.yaml and copy the following code to the file:
```
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-disk-encrypted
provisioner: diskplugin.csi.alibabacloud.com
parameters:
    fsType: ext4
    type: cloud_ssd
    encrypted: "true"
    kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
reclaimPolicy: Delete
```
  Note
  encrypted: specifies whether to create an encrypted disk. A value of true specifies that the StorageClass is used to create an encrypted disk.
  kmsKeyId: specifies the KMS key that is used to encrypt the disk. If you do not set this parameter, the default customer master key (CMK) is used. If the encrypted parameter is set to false, this parameter does not take effect.
2. Run the following command to create a StorageClass:
```
kubectl create -f sc-kms.yaml
```
3. Run the following command to query the StorageClass:
```
kubectl get sc csi-disk-encrypted
```
  Expected output:
```
NAME                 PROVISIONER                       AGE
csi-disk-encrypted   diskplugin.csi.alibabacloud.com   9m5s
```

Create a persistent volume claim (PVC).

Create a file named sc-pvc.yaml and add the following content to the file:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: csi-disk-encrypted

Run the following command to create a PVC:
```
kubectl create -f sc-pvc.yaml
```

Run the following command to query the PVC:

kubectl get pvc

Expected output:

NAME             STATUS   VOLUME                        CAPACITY   ACCESS MODES   STORAGECLASS             AGE
disk-pvc         Bound    d-wz92s6d95go6ki9x****        25Gi       RWO            csi-disk-encrypted       10m

Run the following command to query the persistent volume (PV) that is bound to the PVC:

kubectl get pv

Expected output:

NAME                     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                STORAGECLASS        REASON        AGE
d-wz92s6d95go6ki9x****   25Gi       RWO            Retain           Bound    default/disk-pvc     csi-disk-encrypted                10m

The preceding output shows that a disk is created and the disk ID is d-wz92s6d95go6ki9x****.

Check whether the disk is encrypted.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Storage & Snapshots > Disks.
3. On the Disks page, verify that the d-wz92s6d95go6ki9x**** disk is in the Encrypted state.