Last modified March 6, 2022

Encrypting Persistent Volumes using Azure Key Vault

If your cluster is running in Azure infrastructure, the most common way to provision Persistent Volumes (PVs) is by using Azure Disks.

On Giant Swarm Workload clusters, the default Storage Classes already include definitions for Azure Disks as well as Azure Files. Those disks however are not encrypted with Customer-Managed keys but only with Platform-Managed keys. In order to increase the security of your persistent data on PVs you can use the Azure Key Vault service as an encryption key provider.

Azure Key Vault setup

A prerequisite for following steps is to have a deployed Key Vault instance either in your cluster’s Resource Group, or in your account. Please follow the official docs to get started.

Create first encryption key

After successful deployment, we can move to creating the encryption key which will be used to encrypt data on your PVs.

Add a new key with a key type, RSA key size, and activation or expiration date of your choosing in the Key Vault directory.

When the creation is finished, the Key Identifier should look similar to:

Create Disk Encryption Set

The next step is to create an Azure Disk Encryption Set with the key generated in the previous step. You can use the Azure CLI or navigate in the Portal by adding a new Disk Encryption Set resource.

When creating the Set, you can specify an encryption type to use only Customer-Managed keys or provide a double encryption with additional Platform-Managed keys. Regardless of your choice, please specify the key you have just created to be used in the Set.

Remember to add access permissions to the Key Vault instance you have created for the created Disk Encryption Set as it will need it to actually access and read the key after creation.

In the last step you will need the Resource ID of the created Disk Encryption Set looking like: /subscriptions/sub_id/resourceGroups/rg_where_key_vault_is/providers/Microsoft.Compute/diskEncryptionSets/name_of_your_disk_encryption_set

Create Storage Class with Encryption

The last step is to create your own Storage Class with the defined encryption set.

After replacing the placeholder below with your Encryption Set Resource ID, you will be able to apply the following snippet:

kind: StorageClass
  name: EncryptedDisks
  skuname: Standard_LRS
  kind: managed
  diskEncryptionSetID: "/subscriptions/sub_id/resourceGroups/rg_where_key_vault_is/providers/Microsoft.Compute/diskEncryptionSets/name_of_your_disk_encryption_set"

From now on, your Persistent Volumes using this storage class will have encrypted data with your Customer-Managed key. The final step is to add the Managed Identities (Service Principals) to every Virtual Machine Scale Set which is created (both for control plane nodes and for all node pools in your cluster). This is to enable them to have access to the Key Vault instance in order to be able to read the encryption key.

Further reading