Red Hat SummitChapter 3. Enabling user-managed encryption for Azure
In OpenShift Container Platform version 4.15, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the install-config.yaml file, and then complete the installation.
3.1. Preparing an Azure Disk Encryption Set
The OpenShift Container Platform installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
Procedure
Set the following environment variables for the Azure resource group by running the following command:
export RESOURCEGROUP="<resource_group>" \ LOCATION="<location>"$ export RESOURCEGROUP="<resource_group>" \1 LOCATION="<location>"2 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
- 2
- Specifies the Azure location where you will create the resource group.
Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command:
export KEYVAULT_NAME="<keyvault_name>" \ KEYVAULT_KEY_NAME="<keyvault_key_name>" \ DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>"$ export KEYVAULT_NAME="<keyvault_name>" \1 KEYVAULT_KEY_NAME="<keyvault_key_name>" \2 DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>"3 Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the environment variable for the ID of your Azure Service Principal by running the following command:
export CLUSTER_SP_ID="<service_principal_id>"
$ export CLUSTER_SP_ID="<service_principal_id>"1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specifies the ID of the service principal you will use for this installation.
Enable host-level encryption in Azure by running the following commands:
az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
$ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"Copy to Clipboard Copied! Toggle word wrap Toggle overflow az feature show --namespace Microsoft.Compute --name EncryptionAtHost
$ az feature show --namespace Microsoft.Compute --name EncryptionAtHostCopy to Clipboard Copied! Toggle word wrap Toggle overflow az provider register -n Microsoft.Compute
$ az provider register -n Microsoft.ComputeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command:
az group create --name $RESOURCEGROUP --location $LOCATION
$ az group create --name $RESOURCEGROUP --location $LOCATIONCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create an Azure key vault by running the following command:
az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \ --enable-purge-protection true$ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \ --enable-purge-protection trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create an encryption key in the key vault by running the following command:
az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \ --protection software$ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \ --protection softwareCopy to Clipboard Copied! Toggle word wrap Toggle overflow Capture the ID of the key vault by running the following command:
KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
$ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Capture the key URL in the key vault by running the following command:
KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \ $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)$ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \ $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a disk encryption set by running the following command:
az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \ $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL$ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \ $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URLCopy to Clipboard Copied! Toggle word wrap Toggle overflow Grant the DiskEncryptionSet resource access to the key vault by running the following commands:
DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[identity.principalId]" -o tsv)$ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[identity.principalId]" -o tsv)Copy to Clipboard Copied! Toggle word wrap Toggle overflow az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \ $DES_IDENTITY --key-permissions wrapkey unwrapkey get$ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \ $DES_IDENTITY --key-permissions wrapkey unwrapkey getCopy to Clipboard Copied! Toggle word wrap Toggle overflow Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands:
DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[id]" -o tsv)$ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \ $RESOURCEGROUP --query "[id]" -o tsv)Copy to Clipboard Copied! Toggle word wrap Toggle overflow az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \ --scope $DES_RESOURCE_ID -o jsonc$ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \1 --scope $DES_RESOURCE_ID -o jsoncCopy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specifies an Azure role with read permissions to the disk encryption set. You can use the
Ownerrole or a custom role with the necessary permissions.
3.2. Next steps
Install an OpenShift Container Platform cluster:
- Install a cluster with customizations on installer-provisioned infrastructure
- Install a cluster with network customizations on installer-provisioned infrastructure
- Install a cluster into an existing VNet on installer-provisioned infrastructure
- Install a private cluster on installer-provisioned infrastructure
- Install a cluster into an government region on installer-provisioned infrastructure
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}