Skip to content

Commit

Permalink
doc: added docs for Azure KMS
Browse files Browse the repository at this point in the history
Signed-off-by: Praveen M <m.praveen@ibm.com>
  • Loading branch information
iPraveenParihar committed Mar 6, 2024
1 parent fb1ae38 commit 43f9959
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 0 deletions.
27 changes: 27 additions & 0 deletions docs/deploy-rbd.md
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,33 @@ the AWS KMS is expected to contain:
This Secret is expected to be created by the tenant/user in each namespace where
Ceph-CSI is used to create encrypted rbd volumes.

#### Configuring Azure key vault

Ceph-CSI can be configured to use
[Azure key vault](https://azure.microsoft.com/en-in/products/key-vault),
for encrypting RBD volumes.

There are a few settings that need to be included in the [KMS configuration
file](../examples/kms/vault/kms-config.yaml):

1. `encryptionKMSType`: should be set to `azure-kv`.
1. `AZURE_CERT_SECRET_NAME`: name of the Kubernetes Secret (in the Namespace where
PVC is created) which contains the credentials for communicating with
Azure. This defaults to `ceph-csi-azure-credentials`.
1. `AZURE_VAULT_URL`: URL to access the Azure Key Vault service.
1. `AZURE_CLIENT_ID`: Client ID of the Azure application object (service principal)
created in Azure Active Directory that serves as the username.
1. `AZURE_TENANT_ID`: Tenant ID of the service principal.

The [Secret with credentials](../examples/kms/vault/azure-credentials.yaml) for
the Azure KMS is expected to contain:

1. `AZURE_CLIENT_CERTIFICATE`: The client certificate used for authentication
with Azure Key Vault.

This Secret is expected to be created by the tenant/user in each namespace
where PV's are created.

#### Configuring KMIP KMS

The Key Management Interoperability Protocol (KMIP) is an extensible
Expand Down
58 changes: 58 additions & 0 deletions docs/design/proposals/encryption-with-azure-keyvault.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Encrypted volumes with Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets.
A secret is anything that you want to tightly control access to, such as API
keys, passwords, certificates, or cryptographic keys.

## Connection to Azure Key Vault

Below values are used to establish the connection to the Key Vault
service from the CSI driver and to make use of the secrets
`GetSecret`/`SetSecret` operations:

```text
* AZURE_VAULT_URL
The URL used to access the Azure Key Vault service.
* AZURE_CLIENT_ID
The Client ID of the Azure application object (also known as the service principal).
This ID serves as the username.
* AZURE_TENANT_ID
The Tenant ID associated with the service principal.
* AZURE_CLIENT_CERTIFICATE
The client certificate (which includes the private key and is not password protected)
used for authentication with Azure Key Vault.
```

### Values provided in the connection Secret

Considering `AZURE_CLIENT_CERTIFICATE` is sensitive information,
it will be provided as a Kubernetes Secret to the CSI driver. The Ceph CSI
KMS plugin interface for the Azure key vault will read the Secret name from the
kms ConfigMap and fetch the certificate.

### Values provided in the config map

`AZURE_VAULT_URL`, `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` are part of the
KMS ConfigMap.

### Storage class values or configuration

The Storage class has to be enabled for encryption and `encryptionKMSID` has
to be provided which is the matching value in the kms config map.

## Volume Encrypt or Decrypt Operation

CephCSI generate's unique passphrase for each volume to be used to
encrypt/decrypt. The passphrase is securely store in Azure key vault
using the `SetSecret` operation. At time of decrypt the passphrase is
retrieved from the key vault using the `GetSecret`operation.

## volume Delete Operation

When the corresponding volume is deleted, the stored secret in the Azure Key
Vault will also be permanently removed.

> Note: Ceph-CSI solely deletes the secret without permanent removal (purging).

0 comments on commit 43f9959

Please sign in to comment.