Encryption

For more detail on encryption at rest in StorageOS, please see the reference page.

Enabling encryption on a volume

Encrypting a volume is done by simply creating a volume with the storageos.com/encryption=true label set on the volume’s PVC. This label is not applicable to be set as a StorageClass parameter

This label is all that is needed. If it is present, the mutating admission webhook that runs as part of the StorageOS API Manager will create the encryption key, link it to the PVC and store it in a secret.

Encryption is enabled when a volume is provisioned, and it can not be removed during during the volume’s lifetime.

An example encrypted volume

• Add the label in the PVC definition, for instance:

  apiVersion: v1
  kind: PersistentVolumeClaim
  metadata:
    name: encrypted-vol
    labels:
      storageos.com/encryption: "true" # Label <-----
  spec:
    storageClassName: "fast"
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1G