Configuring K10 Encryption¶
K10 supports encryption for data and metadata stored in an object store or an NFS file store (e.g., for cross-cloud snapshot migration) via the use of the AES-256-GCM encryption algorithm. You can enable encryption for external data and metadata by creating a Passkey (more information below). In particular, K10 allows users to have multiple Passkeys but, in the common case, there will be one Passkey in use.
A Passkey API resource is used to add, edit, list or remove a Passkey used for data and metadata encryption.
Note
The Passkey passphrase should be stored separately in a secure location for K10 Disaster Recovery.
Bootstrapping Passkeys Before Install¶
If you do not specify a cluster secret, a Passkey with a random
passphrase will be generated by K10 during install. The randomly
generated Passkey can be changed via the Changing
Passkeys instructions. However, if the passphrase
needs to be specified before install, it can be done via the creation
of a Kubernetes secret with a well-known name (k10-cluster-passphrase
)
in the namespace you will install K10 in (default kasten-io
):
Warning
Once the cluster secret is set or auto-generated, do not modify or delete the cluster secret directly, please follow the Passkey change workflow below.
PassKey Management¶
Creating Passkeys¶
A Passkey expects a Kubernetes Secret to be provided which contains the passphrase. This can be done via the creation of a Kubernetes secret in the K10 namespace:
As shown below, this secret can then be used to create a Passkey. Note that Passkeys are non-namespaced.
If usenow
is set to true
, while adding a Passkey, it will become
the default Passkey. For changing the default (in use) Passkey, take
a look at the Changing Passkeys instructions.
Multiple Passkeys can have their usenow
flags sets but only one
Passkey will be in use at any point in time. The
Passkey that is most recently added with usenow
set to true
,
will be the Passkey in use.
You can verify which Passkey is inuse
by listing the Passkeys and
checking the status. The status of the Passkey in use will have the inuse
flag set to true.
Listing Passkeys¶
To list all Passkeys, simply run:
Getting Passkeys¶
To get a specific Passkey, run:
You may see additional Passkey detail by using the -o yaml
option:
Deleting Passkeys¶
You can delete existing Passkeys if they are no longer required. If a Passkey is currently in use or only one Passkey exists, it cannot be deleted.
Changing Passkeys¶
K10 allows you to change the current Passkey used for data and metadata encryption.
To change the Passkey, first add a new Passkey by following the
instructions for adding Passkeys,
but set the usenow
flag to true
.
You can then delete the old Passkey by following the instructions for deleting Passkeys.