Starting with version 2.6.3, VAST Block CSI Driver supports LUKS-based host encryption.
To enable host encryption, you specify a LUKS passphrase in the Kubernetes secret referenced in the driver's Helm chart configuration file using the passphrase parameter, for example:
apiVersion: v1
kind: Secret
metadata:
name: <secret name>
type: Opaque
data:
endpoint: <VAST cluster hostname>
token: <VMS user's token>
sslCert: <path to SSL certificate>
passphrase: <passphrase>If a passphrase is supplied, VAST Block CSI Driver applies encryption with the following default parameters:
luks_type: "luks2" # LUKS version cipher: "aes-xts-plain64" # Encryption cipher key_size: "512" # Key size (in bits) for the cipher hash: "sha256" # Hashing algorithm pbkdf_memory: "65536" # Memory cost for PBKDF (in KB) perf-same_cpu_crypt: true # Use same CPU for encryption work perf-submit_from_crypt_cpus: true # Submit IO from crypt CPUs perf-no_read_workqueue: true # Bypass read workqueue perf-no_write_workqueue: true # Bypass write workqueue
Note
For more details on the parameter values, see Storage Class Option Reference.
You can override the defaults by supplying encryption parameters in the storage class definition, for example:
storageClasses: vastdata-block: subsystem: <subsystem> viewPolicy: <view policy> vipPool: <virtual IP pool> secretName: <name of secret> hostEncryption: key_size: 256
Note
Enabling host encryption results in the entire device being encrypted, with the data available only when supplying the preset passphrase.