Setup Encrypted Volumes

This page explains how to configure encryption for persistent volumes where encrypted volume support is enabled.


For this guide, it’s assumed that:

  • You have pwgen or a similar password generator installed.

  • You are logged in to your APPUiO Cloud project using the oc login command.


  1. Ensure the PersistentVolumeClaim has set spec.storageClassName=ssd-encrypted (or bulk-encrypted).

  2. Create a Secret that contains the encryption key.

    oc create secret generic my-pvc-luks-key \ (1)
        --from-literal luksKey=$(pwgen -c -s 64 1) (2)
    1 The name must be composed with the PersistentVolumeClaim name and -luks-key as suffix
    2 Key within Secret must be named luksKey
    • You can also create the encryption key using files.

    • If you need to manage the Secret via Helm you can also use the secret Helm chart.

Don’t lose the encryption key! You can’t change it.

The cipher used is aes-xts-plain64 with a key size of 512. See more details in csi-cloudscale.