Title
Create new category
Edit page index title
Edit category
Edit link
Encryption
Encryption of volumes is possible in two different ways - either on the Lightbits side or on the host side.
Host Side Encryption
With this method, the consumer of a volume defines a secret used to encrypt the volume content before it is sent over to Lightbits. This is forced by some customers to meet very high security requirements, for example for health or military applications.
The downside of this is that with host side encryption, server side compression should be disabled, because this will have no effect at all. It is still possible to enable compression, but will probably hurt overall performance.
Configuration
To get a volume encrypted, a secret must be provided and a storageclass - which enables encryption - must be created. The secret can be given globally in the kube-system namespace, or on a per namespace basis.
Host side encryption does not currently support secrets on a per volume basis.
In the simplest case - one encryption secret in the kube-system namespace - the configuration would look like this:
allowVolumeExpansion: trueapiVersion: storage.k8s.io/v1kind: StorageClassmetadata: annotations: storageclass.kubernetes.io/is-default-class: "false" creationTimestamp: "2022-01-24T08:40:03Z" name: encrypted-scparameters: compression: disabled host-encryption: enabled csi.storage.k8s.io/controller-expand-secret-name: lb-csi-creds csi.storage.k8s.io/controller-expand-secret-namespace: kube-system csi.storage.k8s.io/controller-publish-secret-name: lb-csi-creds csi.storage.k8s.io/controller-publish-secret-namespace: kube-system csi.storage.k8s.io/node-publish-secret-name: lb-csi-creds csi.storage.k8s.io/node-publish-secret-namespace: kube-system csi.storage.k8s.io/node-stage-secret-name: lb-csi-creds csi.storage.k8s.io/node-stage-secret-namespace: kube-system csi.storage.k8s.io/provisioner-secret-name: lb-csi-creds csi.storage.k8s.io/provisioner-secret-namespace: kube-system mgmt-endpoint: 10.131.44.1:443,10.131.44.2:443,10.131.44.3:443 mgmt-scheme: grpcs project-name: 0f89286d-0429-4209-a8a9-8612befbff97 replica-count: "3"provisioner: csi.lightbitslabs.comreclaimPolicy: DeletevolumeBindingMode: ImmediateThe Secret will then look like this:
---apiVersion: v1kind: Secretmetadata: name: lb-csi-creds namespace: kube-systemtype: Opaquedata: host-encryption-passphrase: bXlhd2Vzb21lcGFzc3BocmFzZQ== jwt: <the JWT token to authenticate against Lightbits>The name of the key for encryption must be: host-encryption-passphrase.
If a finer grained secret handling is required, the CSI spec allows templating of parameters in the storageclass. With this, something like the following is possible:
allowVolumeExpansion: trueapiVersion: storage.k8s.io/v1kind: StorageClassmetadata: annotations: storageclass.kubernetes.io/is-default-class: "false" creationTimestamp: "2022-01-24T08:40:03Z" name: partition-gold-encryptedparameters: compression: disabled host-encryption: enabled encryption-secret-namespace: ${pvc.namespace} encryption-secret-name: storage-encryption-key csi.storage.k8s.io/controller-expand-secret-name: lb-csi-creds csi.storage.k8s.io/controller-expand-secret-namespace: kube-system csi.storage.k8s.io/controller-publish-secret-name: lb-csi-creds csi.storage.k8s.io/controller-publish-secret-namespace: kube-system csi.storage.k8s.io/node-publish-secret-name: storage-encryption-key csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/node-stage-secret-name: storage-encryption-key csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/provisioner-secret-name: lb-csi-creds csi.storage.k8s.io/provisioner-secret-namespace: kube-system mgmt-endpoint: 10.131.44.1:443,10.131.44.2:443,10.131.44.3:443 mgmt-scheme: grpcs project-name: 0f89286d-0429-4209-a8a9-8612befbff97 replica-count: "3"provisioner: csi.lightbitslabs.comreclaimPolicy: DeletevolumeBindingMode: ImmediateNow, a storage encryption secret called storage-encryption-key must be present in the namespace of the PVC. This must also contain the host-encryption-passphrase - as shown above.
Additional explanation and samples can be found in the official CSI documentation.
© 2026 Lightbits Labs™