Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Enabling user-managed encryption for Azure

In OpenShift Container Platform version 4.12, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the install-config.yaml file, and then perform post-installation steps.

4.1. Preparing an Azure Disk Encryption Set for Day2 Operator
Copier lien

The OpenShift Container Platform installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a DiskEncryptionSet object in Azure and provide the key to the installation program.

Prerequisite

  • You enabled the EncryptionAtHost feature in your Azure subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". .Procedure

    1. Mark the node from the encyptionAtHost cluster resource group as unschedulable by using the following command: 

      $ oc adm cordon <node_name>
      Copy to Clipboard Toggle word wrap

    2. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node: 

      $ oc adm drain <compute_node> [--pod-selector=<pod_selector>]
      Copy to Clipboard Toggle word wrap
      Note

      For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section.

    3. De-allocate the node by running the following command: 

      $ az vm deallocate -n <node_name> -g <cluster_resource_group>
      Copy to Clipboard Toggle word wrap

    4. Set the encryptionAtHost property to true by running the following command: 

      $ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
      Copy to Clipboard Toggle word wrap

    5. Start the node by running the following commands: 

      $ az vm start -n <node_name> -g <cluster_resource_group>
      Copy to Clipboard Toggle word wrap

    6. Mark the node as schedulable by using the following command: 

      $ oc adm uncordon <node_name>
      Copy to Clipboard Toggle word wrap

    7. Verify that all cluster Operators are available: 

      $ oc get clusteroperators
      Copy to Clipboard Toggle word wrap

      All Operators should show AVAILABLE=True, PROGRESSING=False, and DEGRADED=False.

    8. Repeat the above steps on all the nodes that run encryptionAtHost.
Note

If you want to enable encryption for your host during cluster installation, specify the following parameters in the install-config.yaml file: * compute.platform.azure.encryptionAtHost * controlPlane.platform.azure.encryptionAtHost * platform.azure.defaultMachinePlatform.encryptionAtHost

4.2. Preparing an Azure Disk Encryption Set
Copier lien

The OpenShift Container Platform installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.

Procedure

  1. Set the following environment variables for the Azure resource group by running the following command: 

    $ export RESOURCEGROUP="<resource_group>" \
    1 
    
    LOCATION="<location>"
    2
    Copy to Clipboard Toggle word wrap
    1
    Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
    2
    Specifies the Azure location where you will create the resource group.

  2. Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command: 

    $ export KEYVAULT_NAME="<keyvault_name>" \
    1 
    
    KEYVAULT_KEY_NAME="<keyvault_key_name>" \
    2 
    
    DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>"
    3
    Copy to Clipboard Toggle word wrap
    1
    Specifies the name of the Azure Key Vault you will create.
    2
    Specifies the name of the encryption key you will create.
    3
    Specifies the name of the disk encryption set you will create.

  3. Set the environment variable for the ID of your Azure Service Principal by running the following command: 

    $ export CLUSTER_SP_ID="<service_principal_id>"
    1
    Copy to Clipboard Toggle word wrap
    1
    Specifies the ID of the service principal you will use for this installation.

  4. Enable host-level encryption in Azure by running the following commands: 

    $ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
    Copy to Clipboard Toggle word wrap 
    $ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
    Copy to Clipboard Toggle word wrap 
    $ az provider register -n Microsoft.Compute
    Copy to Clipboard Toggle word wrap

  5. Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command: 

    $ az group create --name $RESOURCEGROUP --location $LOCATION
    Copy to Clipboard Toggle word wrap

  6. Create an Azure key vault by running the following command: 

    $ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \
    --enable-purge-protection true
    Copy to Clipboard Toggle word wrap

  7. Create an encryption key in the key vault by running the following command: 

    $ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \
    --protection software
    Copy to Clipboard Toggle word wrap

  8. Capture the ID of the key vault by running the following command: 

    $ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
    Copy to Clipboard Toggle word wrap

  9. Capture the key URL in the key vault by running the following command: 

    $ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \
    $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)
    Copy to Clipboard Toggle word wrap

  10. Create a disk encryption set by running the following command: 

    $ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
    $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
    Copy to Clipboard Toggle word wrap

  11. Grant the DiskEncryptionSet resource access to the key vault by running the following commands: 

    $ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    $RESOURCEGROUP --query "[identity.principalId]" -o tsv)
    Copy to Clipboard Toggle word wrap 
    $ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
    $DES_IDENTITY --key-permissions wrapkey unwrapkey get
    Copy to Clipboard Toggle word wrap

  12. Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands: 

    $ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    $RESOURCEGROUP --query "[id]" -o tsv)
    Copy to Clipboard Toggle word wrap 
    $ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \
    1 
    
    --scope $DES_RESOURCE_ID -o jsonc
    Copy to Clipboard Toggle word wrap
    1
    Specifies an Azure role with read permissions to the disk encryption set. You can use the Owner role or a custom role with the necessary permissions.

4.3. Next steps
Copier lien

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat