-
Notifications
You must be signed in to change notification settings - Fork 559
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: Update docs for rbd-pv-key-rotation
This commit updates the key rotation docs with the following changes: - Do not call LuksVerify - Mention specifics of RWX volumes - Rename the file to represent RBD backed volumes Signed-off-by: black-dragon74 <[email protected]>
- Loading branch information
1 parent
cab0994
commit f6f87fc
Showing
2 changed files
with
77 additions
and
55 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| # Encryption Key Rotation | ||
|
|
||
| ## Proposal | ||
|
|
||
| Subject of this proposal is to add support for rotation of | ||
| encryption keys (KEKs) for encrypted volumes in Ceph-CSI. | ||
|
|
||
| Support for rotating keys on RWX/ROX volumes is out of scope for now | ||
| and shall be added later. | ||
|
|
||
| ## Document Terminology | ||
|
|
||
| - Encryption Key: The passphrase that is used to encrypt and open the device. | ||
| - LUKS: The specification used by dm-crypt to process encrypted volumes on linux. | ||
|
|
||
| ## Proposed Solution | ||
|
|
||
| The proposed solution in this document, is to address the periodic rotation | ||
| of encryption keys for encrypted volumes. | ||
|
|
||
| This document outlines the rotation steps for PVCs backed by RBD. | ||
|
|
||
| ### Implementation Summary | ||
|
|
||
| This feature builds upon the foundation laid by encrypted pvcs. | ||
|
|
||
| An existing storage class can be annotated with | ||
| `keyrotation.csiaddons.openshift.io/schedule` to enable the key rotation.The | ||
| value of this annotation can be schedule in cron format or one of the | ||
| macros supported by K8s CronJob spec. | ||
|
|
||
| The following new methods are added to `cryptsetup.go` for | ||
| handling the key rotation. | ||
|
|
||
| - `LuksAddKey`: Adds a new key to specified LUKS slot | ||
| - `LuksRemoveKey`: Removes the specified key from its slot using `luksKillSlot` | ||
| - `LuksVerifyKey`: Verifies that the given key exists | ||
| in the given slot using `luksChangeKey`. | ||
|
|
||
| ### Implementation Details | ||
|
|
||
| The encryption key rotation request will contain with it | ||
| the volume ID and secrets. | ||
|
|
||
| The secrets are used to generate the credentials for authenticating | ||
| against a ceph cluster. | ||
|
|
||
| These values are then used to call `GenVolFromVolID` to get the | ||
| rbdVolume structure. | ||
|
|
||
| The `VolumeEncryption` struct is modified to make | ||
| `generateNewEncryptionPassphrase` a public member function. | ||
|
|
||
| The `EncryptionKeyRotation` service is registered and implemented | ||
| on the node-plugin. | ||
|
|
||
| The following steps are followed to process the device for key rotation: | ||
|
|
||
| - Create a `rbdvolume` object using volume ID, | ||
| this is done by `GenVolFromVolID`. | ||
| - Fetch the current key from the KMS, it is needed for | ||
| subsequent LUKS operations. | ||
| - Get the device path for the volume by calling `waitForPath` as all LUKS | ||
| operations require the device path. | ||
| - Add the fetched key to LUKS slot 1, this will serve as a backup of the key. | ||
| - Generate a new key and store it locally. It will be updated | ||
| in the KMS at later steps. | ||
| - Remove the exsitng key from slot 0 upon verifying that the | ||
| key in KMS == the key in slot 0. | ||
| - Add new key to slot 0. | ||
| - Update the new key in the KMS. | ||
| - Fetch the key again and verify that the | ||
| key in KMS == the new key we generated. | ||
| - We can now remove the backup key from slot 1. | ||
|
|
||
| These order of the above steps guarantees that we always have one key | ||
| that can unlock the encrypted volume. |