Encryption
Encryption of volumes is possible in two different ways - either on the Lightbits side or on the host side.
Host Side Encryption
With this method, the consumer of a volume defines a secret used to encrypt the volume content before it is sent over to Lightbits. This is forced by some customers to meet very high security requirements, for example for health or military applications.
The downside of this is that with host side encryption, server side compression should be disabled, because this will have no effect at all. It is still possible to enable compression, but will probably hurt overall performance.
Configuration
To get a volume encrypted, a secret must be provided and a storageclass - which enables encryption - must be created. The secret can be given globally in the kube-system namespace, or on a per namespace basis.
Host side encryption does not currently support secrets on a per volume basis.
In the simplest case - one encryption secret in the kube-system namespace - the configuration would look like this:
allowVolumeExpansiontrueapiVersionstorage.k8s.io/v1kindStorageClassmetadata annotations storageclass.kubernetes.io/is-default-class"false" creationTimestamp"2022-01-24T08:40:03Z" nameencrypted-scparameters compressiondisabled host-encryptionenabled csi.storage.k8s.io/controller-expand-secret-namelb-csi-creds csi.storage.k8s.io/controller-expand-secret-namespacekube-system csi.storage.k8s.io/controller-publish-secret-namelb-csi-creds csi.storage.k8s.io/controller-publish-secret-namespacekube-system csi.storage.k8s.io/node-publish-secret-namelb-csi-creds csi.storage.k8s.io/node-publish-secret-namespacekube-system csi.storage.k8s.io/node-stage-secret-namelb-csi-creds csi.storage.k8s.io/node-stage-secret-namespacekube-system csi.storage.k8s.io/provisioner-secret-namelb-csi-creds csi.storage.k8s.io/provisioner-secret-namespacekube-system mgmt-endpoint10.131.44.1443,10.131.44.2443,10.131.44.3443 mgmt-schemegrpcs project-name0f89286d-0429-4209-a8a9-8612befbff97 replica-count"3"provisionercsi.lightbitslabs.comreclaimPolicyDeletevolumeBindingModeImmediateThe Secret will then look like this:
---apiVersionv1kindSecretmetadata namelb-csi-creds namespacekube-systemtypeOpaquedata host-encryption-passphrasebXlhd2Vzb21lcGFzc3BocmFzZQ== jwt<the JWT token to authenticate against Lightbits>The name of the key for encryption must be: host-encryption-passphrase.
If a finer grained secret handling is required, the CSI spec allows templating of parameters in the storageclass. With this, something like the following is possible:
allowVolumeExpansiontrueapiVersionstorage.k8s.io/v1kindStorageClassmetadata annotations storageclass.kubernetes.io/is-default-class"false" creationTimestamp"2022-01-24T08:40:03Z" namepartition-gold-encryptedparameters compressiondisabled host-encryptionenabled encryption-secret-namespace$pvc.namespace encryption-secret-namestorage-encryption-key csi.storage.k8s.io/controller-expand-secret-namelb-csi-creds csi.storage.k8s.io/controller-expand-secret-namespacekube-system csi.storage.k8s.io/controller-publish-secret-namelb-csi-creds csi.storage.k8s.io/controller-publish-secret-namespacekube-system csi.storage.k8s.io/node-publish-secret-namestorage-encryption-key csi.storage.k8s.io/node-publish-secret-namespace$pvc.namespace csi.storage.k8s.io/node-stage-secret-namestorage-encryption-key csi.storage.k8s.io/node-stage-secret-namespace$pvc.namespace csi.storage.k8s.io/provisioner-secret-namelb-csi-creds csi.storage.k8s.io/provisioner-secret-namespacekube-system mgmt-endpoint10.131.44.1443,10.131.44.2443,10.131.44.3443 mgmt-schemegrpcs project-name0f89286d-0429-4209-a8a9-8612befbff97 replica-count"3"provisionercsi.lightbitslabs.comreclaimPolicyDeletevolumeBindingModeImmediateNow, a storage encryption secret called storage-encryption-key must be present in the namespace of the PVC. This must also contain the host-encryption-passphrase - as shown above.
Additional explanation and samples can be found in the official CSI documentation.