Setup Encrypted Volumes

This page explains how to configure encryption for persistent volumes where encrypted volume support is enabled.

Prerequisites

For this guide, it’s assumed that:

Ensure the PersistentVolumeClaim has set spec.storageClassName=ssd-encrypted (or bulk-encrypted).
Create a Secret that contains the encryption key.
```
oc create secret generic my-pvc-luks-key \ (1)
    --from-literal luksKey=$(pwgen -c -s 64 1) (2)
```
1 The name must be composed with the PersistentVolumeClaim name and -luks-key as suffix

2 Key within Secret must be named luksKey
You can also create the encryption key using files.

If you need to manage the Secret via Helm you can also use the secret Helm chart.

Don’t lose the encryption key! You can’t change it.

The cipher used is aes-xts-plain64 with a key size of 512. See more details in csi-cloudscale.

1	The name must be composed with the `PersistentVolumeClaim` name and `-luks-key` as suffix
2	Key within `Secret` must be named `luksKey`