Configuring K10 Encryption
K10 supports encryption for data and metadata stored in an object store or an NFS file store (e.g., for cross-cloud snapshot migration) via the use of the AES-256-GCM encryption algorithm. K10 encryption is always enabled for external data and metadata (more information below), it cannot be disabled. Multiple methods of encryption can be used and K10 can be configured to use any of them. K10 allows users to have multiple Passkeys. These Passkeys can be a combination of any of the different types listed below. However, only of them will be in use at any point in time.
A Passkey API resource is used to add, edit, list or remove a Passkey used for data and metadata encryption.
Bootstrapping Passkeys Before Install
If you do not specify a cluster secret, a Passkey with a random
passphrase will be generated by K10 during install. The randomly
generated Passkey can be changed via the Changing
Passkeys instructions. However, if the passphrase
needs to be specified before install, it can be done via the creation
of a Kubernetes secret with a well-known name (k10-cluster-passphrase
)
in the namespace you will install K10 in (default kasten-io
):
Warning
Once the cluster secret is set or auto-generated, do not modify or delete the cluster secret directly, please follow the Passkey change workflow below.
Passphrases
A passphrase is used to protect the encryption key used by K10 to encrypt application data.
$ kubectl create secret generic k10-cluster-passphrase \
--namespace kasten-io \
--from-literal passphrase=<key>
Note
The Passkey passphrase should be stored separately in a secure location for K10 Disaster Recovery.
AWS Customer Managed Keys
An AWS Customer Managed Key (CMK) can also be used to protect the encryption key used by K10 to encrypt application data.
$ kubectl create secret generic k10-cluster-passphrase \
--namespace kasten-io \
--from-literal awscmkkeyid=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
IAM must be configured for K10. Refer to Using AWS IAM Roles for more information on IAM roles.
AWS keys are required while installing K10 in order to use the AWS Customer Manager Key. The IAM role is an optional value to be configured if K10 should assume a specific role.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
--set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" \
--set secrets.awsIamRole="${AWS_IAM_ROLE_ARN}"
Following is the AWS policy needed for access to AWS KMS.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": "arn:aws:kms:::key/${KMS_KEY_ID}"
}
]
}
Additionally, the user/role needs to be added to the corresponding CMK policy as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS ACCOUNT>:role/<ROLE NAME>"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
HashiCorp Vault Transit Secrets Engine
HashiCorp Vault Transit Secrets Engine can also be used to protect the encryption key used by K10 to encrypt application data.
$ kubectl create secret generic k10-cluster-passphrase \
--namespace kasten-io \
--from-literal vaulttransitkeyname=<vault_transit_key_name> \
--from-literal vaulttransitpath=<vault_transit_path>
K10 needs to be configured to be able to access Vault.
Currently, only token authentication is supported for Vault Server.
The token
should be provided via a secret
$ kubectl create secret generic vault-creds \
--namespace kasten-io \
--from-literal vault_token=<vault_token>
Warning
This may cause the token to be stored in shell history.
Credentials can be provided with the Helm install or upgrade command using the following flags.
--set vault.address=<vault_server_address> \
--set vault.secretName=vault-creds
PassKey Management
Creating Passkeys
A Passkey that represents a passphrase, expects a Kubernetes Secret to be provided which contains the passphrase. This can be done via the creation of a Kubernetes secret in the K10 namespace:
$ kubectl create secret generic <secret-name> \
--namespace kasten-io \
--from-literal passphrase=<key>
As shown below, this secret can then be used to create a Passkey. Note that Passkeys are non-namespaced.
$ cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey1
spec:
secret:
# Reference to the passkey secret
name: <secret-name>
namespace: kasten-io
usenow: false
EOF
$ kubectl create -f sample-passkey.yaml
vault.kio.kasten.io/passkey1 created
A Passkey can also be used to represent an AWS KMS Customer Managed Key(CMK). The AWS CMK key ID can be provided directly in the passkey.
$ cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey2
spec:
awscmkkeyid: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
usenow: false
EOF
$ kubectl create -f sample-passkey.yaml
vault.kio.kasten.io/passkey2 created
A Passkey
can also be used to represent a HashiCorp Vault Transit Secrets
Engine. The Vault Transit key name and mount path can be provided directly in
the passkey, as shown below.
$ cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey3
spec:
vaulttransitkeyname: my-key
vaulttransitpath: my-transit-path
usenow: false
EOF
$ kubectl create -f sample-passkey.yaml
vault.kio.kasten.io/passkey3 created
If usenow
is set to true
, while adding a Passkey, it will become
the default Passkey. For changing the default (in use) Passkey, take
a look at the Changing Passkeys instructions.
Multiple Passkeys can have their usenow
flags sets but only one
Passkey will be in use at any point in time. The
Passkey that is most recently added with usenow
set to true
,
will be the Passkey in use.
You can verify which Passkey is inuse
by listing the Passkeys and
checking the status. The status of the Passkey in use will have the inuse
flag set to true.
Listing Passkeys
To list all Passkeys, simply run:
$ kubectl get passkeys.vault.kio.kasten.io
NAME AGE
passkey1 1h
passkey2 2h
Getting Passkeys
To get a specific Passkey, run:
$ kubectl get passkeys.vault.kio.kasten.io passkey1
NAME AGE
passkey1 1h
You may see additional Passkey detail by using the -o yaml
option:
$ kubectl get passkeys.vault.kio.kasten.io passkey1 -o yaml
apiVersion: vault.kio.kasten.io/v1alpha1
metadata:
name: passkey1
creationtimestamp: <creation-time>
status:
inuse: true
Deleting Passkeys
You can delete existing Passkeys if they are no longer required. If a Passkey is currently in use or only one Passkey exists, it cannot be deleted.
$ kubectl delete passkeys.vault.kio.kasten.io passkey1
vault.kio.kasten.io/passkey1 deleted
Changing Passkeys
K10 allows you to change the current Passkey used for data and metadata encryption.
To change the Passkey, first add a new Passkey by following the
instructions for adding Passkeys,
but set the usenow
flag to true
.
You can then delete the old Passkey by following the instructions for deleting Passkeys.