For more detail on encryption at rest in StorageOS, please see the reference page.
Enabling encryption on a volume
Encrypting a volume is done by simply creating a volume with the
storageos.com/encryption=true label set on the volume’s PVC.
This label is not applicable to be set as a StorageClass parameter
This label is all that is needed. If it is present, the mutating admission webhook that runs as part of the StorageOS API Manager will create the encryption key, link it to the PVC and store it in a secret.
Encryption is enabled when a volume is provisioned, and it can not be removed during during the volume’s lifetime.
An example encrypted volume
Add the label in the PVC definition, for instance:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: encrypted-vol labels: storageos.com/encryption: "true" # Label <----- spec: storageClassName: "fast" accessModes: - ReadWriteOnce resources: requests: storage: 1G