Enabling Host Encryption with VAST Block CSI Driver

  • Updated on Feb 13, 2026
  • Published on Jan 26, 2026
  • 1 minute(s) read
Prev Next

Starting with version 2.6.3, VAST Block CSI Driver supports LUKS-based host encryption.

To enable host encryption, you specify a LUKS passphrase in the Kubernetes secret referenced in the driver's Helm chart configuration file using the passphrase parameter, for example:

apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  endpoint: <VAST cluster hostname>
  token: <VMS user's token>
  sslCert: <path to SSL certificate>
  passphrase: <passphrase>

If a passphrase is supplied, VAST Block CSI Driver applies encryption with the following default parameters:

 luks_type: "luks2"                  # LUKS version 
 cipher: "aes-xts-plain64"           # Encryption cipher
 key_size: "512"                     # Key size (in bits) for the cipher
 hash: "sha256"                      # Hashing algorithm
 pbkdf_memory: "65536"               # Memory cost for PBKDF (in KB)
 perf-same_cpu_crypt: true           # Use same CPU for encryption work
 perf-submit_from_crypt_cpus: true   # Submit IO from crypt CPUs
 perf-no_read_workqueue: true        # Bypass read workqueue
 perf-no_write_workqueue: true       # Bypass write workqueue

Note

For more details on the parameter values, see Storage Class Option Reference.

You can override the defaults by supplying encryption parameters in the storage class definition, for example:

storageClasses:
  vastdata-block:
    subsystem: <subsystem>
    viewPolicy: <view policy>
    vipPool: <virtual IP pool>
    secretName: <name of secret>
    hostEncryption:
       key_size: 256                  

Note

Enabling host encryption results in the entire device being encrypted, with the data available only when supplying the preset passphrase.

Related articles