-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for LUKS disk encryption for local-storage #1413
Comments
@wokalski Thanks for your feedback, data volume encryption is really important, especially inside scenarios with high data security requirements. This feature is currently in our planning, it would be great if you could contribute to this feature, and if you have any questions during this process, please feel free to contact us, we will provide as much help as possible! |
I think i might be able to contribute it but I'd need some information how you'd like it implemented:
Thank you! |
I think this has to do with how users use it. Perhaps both StorageClass and LocalVolume should reflect whether encryption is applied and how it is done.
As for the encryption key information, it might be associated through secrets. This relationship can be maintained in the StorageClass. These are some of my current ideas about this. If there is a better way, please feel free to communicate~ |
Actually, I'm not sure whether all the physical volumes (PVs) in a volume group (VG) should have the same encryption policy. If a data volume spans across multiple PVs with different encryption policies, is there any security risk? |
|
cryptsetup can be used for LV level encryption as well so it's the right tool for the job 👍. I will think about the rest and get back to you soon. |
Same requirement. |
@wokalski Hi, are you still working on this issue? |
Unfortunately I'm not working on it actively. It is in my backlog but untouched. |
Support for LUKS encryption for local-storage can make hwameistor an even more complete solution. I'd like to be able to say; here's a PVC, encrypt it with LUKS with the key from this secret. And it'd create a logical volume encrypted with the given secret.
I think it might be a bit more challenging for local-disk stuff so I'd like to separate those two out into separate feature requests.
The text was updated successfully, but these errors were encountered: