Using Data Transformation for CTE for Kubernetes
The Data Transformation utility is an application that encrypts data-in-place in a GuardPoint. To perform dataxform for CTE for Kubernetes, two additional steps are required:
-
An Data Transformation GuardPolicy, along with a CTE for Kubernetes production policy, must be added to the CTE for Kubernetes storage group on CipherTrust Manager.
-
You must add an Data Transformation policy name in the CTE for Kubernetes claim against the PVC. The name of the claim is
cte-csi-claim.yaml
.
For the standard Data Transformation steps, see Data Transformation for more information.
Prerequisites
- Verify that you have valid backup files of the data to be encrypted.
You will need to stop ALL access and services to the data being encrypted during this part of the procedure. Access will NOT be restored until the encryption process is complete. Make sure that you plan for this outage and that users know the data will be inaccessible for some time.
Create a Storage Group
Prior to the deployment of any yaml
files for registration, you must create a CTE for Kubernetes Storage Group
Create Policies
In CipherTrust Manager, you must create policies before you can transform the data. See Creating Policies for more information.
-
Create an Data Transformation policy with Policy Type: CTE for Kubernetes.
-
Toggle the Data Transformation button to on. This policy is only for encrypting the clear text data in persistent volumes where the policy is applied.
-
Create a CTE for Kubernetes Production policy with Policy Type: CTE for Kubernetes.
-
Make sure that the Data Transformation toggle is set to off.
-
For the key rule, you must use the same key as in the Data Transformation policy.
Apply GuardPolicies
- Add both policies, that you just created in the previous section, to the K8s Storage Group.
Adding an Annotation for Data Transformation to a claim
-
Add an annotation for the Data Transformation policy to your
yaml
claim file. For example:cte-csi-claim.yaml
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cte-claim annotations: csi.cte.cpl.thalesgroup.com/dataxform_policy: <dataxformPolicyName> csi.cte.cpl.thalesgroup.com/policy: production-policy //This must match your CTE CSI Policy name. csi.cte.cpl.thalesgroup.com/source_pvc: nfs-test-claim // nfs source persistent volume claim spec: storageClassName: <CHANGE to the storageclass name that you deployed. For example: e.g. csi-test-sc> accessModes: - ReadWriteMany resources: requests: storage: 1Ki
The Data Transformation will start as soon as policy is applied. Check that the logs are updated.