Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 4. Enabling user-managed encryption for Azure

In OpenShift Container Platform version 4.13, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the install-config.yaml file, and then complete the installation.

4.1. Preparing an Azure Disk Encryption Set for Day2 Operator
Copiar enlace

The OpenShift Container Platform installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a DiskEncryptionSet object in Azure and provide the key to the installation program.

Prerequisite

  • You enabled the EncryptionAtHost feature in your Azure subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". .Procedure

    1. Mark the node from the encyptionAtHost cluster resource group as unschedulable by using the following command: 

      $ oc adm cordon <node_name>
      Copy to Clipboard Toggle word wrap

    2. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node: 

      $ oc adm drain <compute_node> [--pod-selector=<pod_selector>]
      Copy to Clipboard Toggle word wrap
      Note

      For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section.

    3. De-allocate the node by running the following command: 

      $ az vm deallocate -n <node_name> -g <cluster_resource_group>
      Copy to Clipboard Toggle word wrap

    4. Set the encryptionAtHost property to true by running the following command: 

      $ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
      Copy to Clipboard Toggle word wrap

    5. Start the node by running the following commands: 

      $ az vm start -n <node_name> -g <cluster_resource_group>
      Copy to Clipboard Toggle word wrap

    6. Mark the node as schedulable by using the following command: 

      $ oc adm uncordon <node_name>
      Copy to Clipboard Toggle word wrap

    7. Verify that all cluster Operators are available: 

      $ oc get clusteroperators
      Copy to Clipboard Toggle word wrap

      All Operators should show AVAILABLE=True, PROGRESSING=False, and DEGRADED=False.

    8. Repeat the above steps on all the nodes that run encryptionAtHost.
Note

If you want to enable encryption for your host during cluster installation, specify the following parameters in the install-config.yaml file: * compute.platform.azure.encryptionAtHost * controlPlane.platform.azure.encryptionAtHost * platform.azure.defaultMachinePlatform.encryptionAtHost

4.2. Preparing an Azure Disk Encryption Set
Copiar enlace

The OpenShift Container Platform installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.

Procedure

  1. Set the following environment variables for the Azure resource group by running the following command: 

    $ export RESOURCEGROUP="<resource_group>" \
    1 
    
    LOCATION="<location>"
    2
    Copy to Clipboard Toggle word wrap
    1
    Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
    2
    Specifies the Azure location where you will create the resource group.

  2. Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command: 

    $ export KEYVAULT_NAME="<keyvault_name>" \
    1 
    
    KEYVAULT_KEY_NAME="<keyvault_key_name>" \
    2 
    
    DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>"
    3
    Copy to Clipboard Toggle word wrap
    1
    Specifies the name of the Azure Key Vault you will create.
    2
    Specifies the name of the encryption key you will create.
    3
    Specifies the name of the disk encryption set you will create.

  3. Set the environment variable for the ID of your Azure Service Principal by running the following command: 

    $ export CLUSTER_SP_ID="<service_principal_id>"
    1
    Copy to Clipboard Toggle word wrap
    1
    Specifies the ID of the service principal you will use for this installation.

  4. Enable host-level encryption in Azure by running the following commands: 

    $ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
    Copy to Clipboard Toggle word wrap 
    $ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
    Copy to Clipboard Toggle word wrap 
    $ az provider register -n Microsoft.Compute
    Copy to Clipboard Toggle word wrap

  5. Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command: 

    $ az group create --name $RESOURCEGROUP --location $LOCATION
    Copy to Clipboard Toggle word wrap

  6. Create an Azure key vault by running the following command: 

    $ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \
    --enable-purge-protection true
    Copy to Clipboard Toggle word wrap

  7. Create an encryption key in the key vault by running the following command: 

    $ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \
    --protection software
    Copy to Clipboard Toggle word wrap

  8. Capture the ID of the key vault by running the following command: 

    $ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
    Copy to Clipboard Toggle word wrap

  9. Capture the key URL in the key vault by running the following command: 

    $ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \
    $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)
    Copy to Clipboard Toggle word wrap

  10. Create a disk encryption set by running the following command: 

    $ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
    $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
    Copy to Clipboard Toggle word wrap

  11. Grant the DiskEncryptionSet resource access to the key vault by running the following commands: 

    $ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    $RESOURCEGROUP --query "[identity.principalId]" -o tsv)
    Copy to Clipboard Toggle word wrap 
    $ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
    $DES_IDENTITY --key-permissions wrapkey unwrapkey get
    Copy to Clipboard Toggle word wrap

  12. Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands: 

    $ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    $RESOURCEGROUP --query "[id]" -o tsv)
    Copy to Clipboard Toggle word wrap 
    $ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \
    1 
    
    --scope $DES_RESOURCE_ID -o jsonc
    Copy to Clipboard Toggle word wrap
    1
    Specifies an Azure role with read permissions to the disk encryption set. You can use the Owner role or a custom role with the necessary permissions.

4.3. Next steps
Copiar enlace

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat