Skip to content

Commit

Permalink
docs(image and volume): add how to encrypr/decrypt image and volume
Browse files Browse the repository at this point in the history 
Signed-off-by: Jack Yu <jack.yu@suse.com>
  • Loading branch information
@Yu-Jack
Yu-Jack committed Sep 6, 2024
1 parent 1bf0dce commit 16e1316
Show file tree
Hide file tree
Showing 6 changed files with 197 additions and 1 deletion.
6 changes: 6 additions & 0 deletions docs/image/_category_.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"position": 10,
"label": "Image Management",
"collapsible": true,
"collapsed": true
}
106 changes: 106 additions & 0 deletions docs/image/image-security.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
id: image-security
sidebar_position: 2
sidebar_label: Image Security
title: "Image Security"
keywords:
- Harvester
- harvester
- Rancher
- rancher
- Image Security
---

_Available as of v1.4.0_

Starting with v1.4.0 Harvester allows you to encrypt and decrypt virtual machine image. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup.

## Prerequisite

Before encrypting or decrypting the virtual machine image, we need to prepare following resources:

- source virtual machine image
- secret
- storage class

### Source Virtual Machine Image

Please follow [Upload Images](./upload-image) to create an image.

:::info important
Harvester doesn't support uploading an encrypted image
:::

### Secret

We use this secret as passphrase of dm_crypt. You need to customize the value of `CRYPTO_KEY_VALUE` field. Other fields are fixed.

Example Secret:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: encryption
namespace: default
data:
CRYPTO_KEY_CIPHER: aes-xts-plain64
CRYPTO_KEY_HASH: sha256
CRYPTO_KEY_PROVIDER: secret
CRYPTO_KEY_SIZE: 256
CRYPTO_KEY_VALUE: "Your encryption passphrase"
CRYPTO_PBKDF: argon2i
```
### Storage Class
Since Harvesters uses Longhorn to encrypt image, we need to pass required fields to Longhorn CSI driver.
Example Storage Class:
```yaml
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encryption
parameters:
csi.storage.k8s.io/node-publish-secret-name: encryption
csi.storage.k8s.io/node-publish-secret-namespace: default
csi.storage.k8s.io/node-stage-secret-name: encryption
csi.storage.k8s.io/node-stage-secret-namespace: default
csi.storage.k8s.io/provisioner-secret-name: encryption
csi.storage.k8s.io/provisioner-secret-namespace: default
encrypted: "true"
fromBackup: ""
migratable: "true"
numberOfReplicas: "3"
staleReplicaTimeout: "2880"
provisioner: driver.longhorn.io
reclaimPolicy: Delete
volumeBindingMode: Immediate
```
## Encrypt Image
Select a previously created storage class. This storage class must include encryption-related fields. Harvester will pass this storage class to Longhorn.
![](/img/v1.4/image/select-encryption-storage-class.png)
## Decrypt Image
Select the default or a commonly used storage class. Harvester will use the storage class from the source virtual machine image that you want to decrypt.
![](/img/v1.4/image/select-normal-storage-class.png)
## Advanced Usage with Rancher Integration
### Prevent other users from reading the secret
Since the secret is a base64 encoded string, it's not really encrypted. So, admin might want keep this secret safe. With Rancher Integration, we can use project and namespace to isolate permission. Please check [Multi-Tenancy](../rancher/virtualization-management#multi-tenancy) for more detail.
## Limitations
- Don't support that export to image from encrypted image.
- Don't support that download encrypted image and upload it to reuse.
- Don't support that upload an encrypted image.
2 changes: 1 addition & 1 deletion docs/upload-image.md → docs/image/upload-image.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
id: upload-image
sidebar_position: 6
sidebar_position: 1
sidebar_label: Upload Images
title: "Upload Images"
keywords:
Expand Down
84 changes: 84 additions & 0 deletions docs/volume/volume-security.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
---
sidebar_position: 6
sidebar_label: Volume Security
title: "Volume Security"
keywords:
- Volume Security
- Image Security
---

_Available as of v1.4.0_

Starting with v1.4.0 Harvester allows you to encrypt and decrypt volume. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup.

## Prerequisite

Before encrypting volumes, we need to prepare following resources:

- secret
- storage class

### Secret

We use this secret as passphrase of dm_crypt. You need to customize the value of `CRYPTO_KEY_VALUE` field. Other fields are fixed.

Example Secret:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: encryption
namespace: default
data:
CRYPTO_KEY_CIPHER: aes-xts-plain64
CRYPTO_KEY_HASH: sha256
CRYPTO_KEY_PROVIDER: secret
CRYPTO_KEY_SIZE: 256
CRYPTO_KEY_VALUE: "Your encryption passphrase"
CRYPTO_PBKDF: argon2i
```
### Storage Class
Since Harvesters uses Longhorn to encrypt volume, we need to pass required fields to Longhorn CSI driver.
Example Storage Class:
```yaml
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: encryption
parameters:
csi.storage.k8s.io/node-publish-secret-name: encryption
csi.storage.k8s.io/node-publish-secret-namespace: default
csi.storage.k8s.io/node-stage-secret-name: encryption
csi.storage.k8s.io/node-stage-secret-namespace: default
csi.storage.k8s.io/provisioner-secret-name: encryption
csi.storage.k8s.io/provisioner-secret-namespace: default
encrypted: "true"
fromBackup: ""
migratable: "true"
numberOfReplicas: "3"
staleReplicaTimeout: "2880"
provisioner: driver.longhorn.io
reclaimPolicy: Delete
volumeBindingMode: Immediate
```
## Encrypt Volume
When [creating volume](./create-volume.md), please select encryption storage class.
## Advanced Usage with Rancher Integration
### Prevent other users from reading the secret
Since the secret is a base64 encoded string, it's not really encrypted. So, admin might want keep this secret safe. With Rancher Integration, we can use project and namespace to isolate permission. Please check [Multi-Tenancy](../rancher/virtualization-management#multi-tenancy) for more detail.
## Limitations
- Don't support that export to image from encrypted volumes.
- Don't support that data volume restoring from encrypted to unencrypted or unencrypted to encrypted one.
Binary file added static/img/v1.4/image/select-encryption-storage-class.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/v1.4/image/select-normal-storage-class.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 16e1316

Please sign in to comment.