Support Disk Encryption Set for Node OS Disks

[iamvighnesh]

Tell us about your request

The users are requesting support for Disk Encryption Sets for Node OS Disks on Karpenter-managed nodes.

Here's the existing feature for AKS managed nodes with Disk Encryption Set for Node OS Disks.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

The users do not have a way to provide a customer-managed key for encrypting node OS disk and would like the ability to supply customer-managed keys to use for encryption at rest for both the OS for Karpenter-managed nodes.

Are you currently working around this issue?

No workaround is available for this right now.

Additional Context

• Do we also need to consider supporting Host Encryption for the nodes?
• Right now, Disk Encryption Set can only be enabled during cluster creation. We need to investigate how that would affect the karpenter-managed nodes.
• What happens if the AKS cluster does not have Disk Encryption Set enabled?

Attachments

No response

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[tallaxes]

This is currently not supported. The first step would be to enable disk encryption with managed keys by default, which is what AKS does. Next step would be support for BYOK.

[iamvighnesh]

@tallaxes Would you like me create a separate issue for Disk Encryption using platform managed keys?

I am happy to pick this up and work on both the features.

[tallaxes]

Good idea, and appreciate offer of help! Let me dig a little bit into the differences between this (server-side encryption) and host-based encryption, to see how to break this down best - and maybe set priorities.