Encrypt ossfs 1.0 volumes-Container Service for Kubernetes(ACK)-阿里云帮助中心

Encryption methods

OSS volume encryption can be either server-side encryption (SSE) or client-side encryption. ACK supports only SSE.

Server-side encryption: OSS encrypts data before storing it on disk in a data center and automatically decrypts it when you download objects.
Client-side encryption: You can use a client-side encryption SDK to encrypt data locally before uploading it to OSS.

OSS provides two server-side encryption methods. Only one server-side encryption method can be used for an object at a time.

Using CMKs from KMS for encryption (SSE-KMS)
- Use the default CMK: When you upload an object, set theX-OSS-server-side-encryption request header toKMS and do not specify a CMK ID.
- Use a specified CMK ID: When you upload an object, set theX-OSS-server-side-encryption request header toKMS, and setX-OSS-server-side-encryption-key-id to yourCMK ID.
Important
Using KMS keys incurs a small fee for API calls. For more information, see Billing of KMS 1.0.

This method is cost-effective because OSS does not send data over the network to the KMS server for encryption and decryption.
Using keys fully managed by OSS for encryption (SSE-OSS)
- This method uses keys fully managed by OSS, and encryption is an object attribute.
- OSS generates and manages data encryption keys and uses the industry-standard AES-256 strong encryption algorithm.
- When you upload an object, set theX-OSS-server-side-encryption request header toAES256.

You can configure the encryption parameters for an OSS volume using the ossfs tool. These settings are applied when you mount the persistent volume (PV).

For more information about how to configure and install ossfs, see Install ossfs 1.0.

Prerequisites

The csi-plugin and csi-provisioner components are installed.
The Container Storage Interface (CSI) components are installed by default. Ensure that you have not manually uninstalled them. You can check their installation status on the Add-ons page. We recommend upgrading the CSI components to the latest version.
Create a bucket. The bucket and the cluster must belong to the same Alibaba Cloud account.

To mount an OSS bucket from a different account, we recommend using RRSA for authentication. For more information, see How do I mount an OSS bucket from a different account?
Key Management Service (KMS) is activated.

Scenario 1: Use the default KMS CMK

Copy the following content to a file named kms-cmk-default.yaml.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadOnlyMany
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o umask=022 -o max_stat_cache_size=100000 -o allow_other"
      akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID
      akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey Secret
      path: "/"
      encrypted: "kms"

Parameter	Description
`akId`	AccessKey ID
`akSecret`	AccessKey Secret
`encrypted`	The encryption method for the volume: `kms`: KMS encryption. `aes256`: AES-256 encryption.

Create the encrypted volume.
```
kubectl create -f kms-cmk-default.yaml
```
View the created encrypted volume.
```
kubectl get pv
```

Scenario 2: Use a specified KMS CMK ID

1. Configure KMS access permissions

To encrypt an OSS object with a specific CMK, the RAM user or role associated with the PV's AccessKey must be granted permission to use that CMK. For more information, see Server-side encryption.

Before you begin, make sure that you have created a RAM user or created a RAM role.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the navigation pane, selectUser orRole.
Find the target RAM user and clickAdd Permissions in theActions column. Alternatively, find the target RAM role and clickAttach Policy in theActions column. Follow the on-screen instructions to grant the permissions. You can attach the AliyunKMSFullAccess system policy or a custom policy named AliyunOSSEncryptCustomizedPolicy.

The AliyunKMSFullAccess permission provides broad access. For more granular control, you can create a custom policy named AliyunOSSEncryptCustomizedPolicy with the following content.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": [
        "acs:kms:*:141661496593****:*"  // This allows the principal to use all KMS keys under this Alibaba Cloud account. To allow access to only a specific CMK, replace the wildcard resource with the ARN of that CMK.
      ]
    }
  ]
}
```

2. Create the encrypted volume

Create a file named kms-cmk.yaml.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadOnlyMany
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o umask=022 -o max_stat_cache_size=100000 -o allow_other"
      akId: "<YourAccessKey ID>"           # Replace with your AccessKey ID
      akSecret: "<YourAccessKey Secret>"   # Replace with your AccessKey Secret
      path: "/"
      encrypted: "kms"
      kmsKeyId: "<YourCMKID>"          # Replace with your CMK ID

Create the encrypted volume.
```
kubectl create -f kms-cmk.yaml
```
View the created encrypted volume.
```
kubectl get pv
```

Scenario 3: Use OSS-managed keys

Create a file named sse-oss.yaml.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadOnlyMany
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "python"
      url: "oss-cn-hangzhou.aliyuncs.com"
      otherOpts: "-o umask=022 -o max_stat_cache_size=100000 -o allow_other"
      akId: "<YourAccessKey ID>"             # Replace with your AccessKey ID
      akSecret: "<YourAccessKey Secret>"     # Replace with your AccessKey Secret
      path: "/"
      encrypted: "aes256"

Create the encrypted volume.
```
kubectl create -f sse-oss.yaml
```
View the created encrypted volume.
```
kubectl get pv
```