Encrypting EVS Disks

Encrypting cloud disks ensures data privacy and control, making it ideal for scenarios that demand high security or compliance standards. This section describes how to use the keys managed by Data Encryption Workshop (DEW) to encrypt EVS disks.

Prerequisites

• You have created a cluster and installed the CCE Container Storage (Everest) add-on in the cluster.

• An available key has been created in DEW.

• To create a cluster using commands, ensure kubectl is used. For details, see Accessing a Cluster Using kubectl.

Using the Console

1. Log in to the CCE console and click the cluster name to access the cluster console.

2. Dynamically create a PVC and PV.

   1. Choose Storage in the navigation pane and click the PVCs tab. Click Create PVC in the upper right corner. In the dialog box displayed, configure PVC parameters.

   2. Select EVS for the StorageClass, enable encryption, and choose a key. Configure other parameters based on service requirements. For details, see Using an EVS Disk Through a Dynamic PV.

   3. Click Create.

3. Go to the PVCs tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.

4. The method of using an encrypted PVC is the same as that of using a regular PVC.

Using kubectl

1. Use kubectl to access the cluster.

2. Create the pvc-evs-auto.yaml file. For details, see Dynamically Creating an EVS Disk Using kubectl.

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     name: pvc-evs-auto
     namespace: default
     annotations:
       everest.io/disk-volume-type: SAS    # EVS disk type
       everest.io/crypt-key-id: 37f202db-a970-4ac1-a506-e5c4f2d7ce69   # Encryption key ID, which can be obtained from DEW
     labels:
       failure-domain.beta.kubernetes.io/region: <your_region>   # Region of the node where the application is to be deployed
       failure-domain.beta.kubernetes.io/zone: <your_zone>       # AZ of the node where the application is to be deployed
   spec:
     accessModes:
     - ReadWriteOnce               # The value must be ReadWriteOnce for EVS disks.
     resources:
       requests:
         storage: 10Gi             # EVS disk capacity, ranging from 1 to 32768
     storageClassName: csi-disk    # The StorageClass is EVS.
   

   Table 1 Encryption parameters

   Parameter	Example Value	Description
   everest.io/crypt-key-id	37f202db-a970-4ac1-a506-e5c4f2d7ce69	ID of an encryption key, which can be obtained from DEW.

3. Run the following command to create a PVC:

   kubectl apply -f pvc-evs-auto.yaml
   

4. Go to the PVCs tab and check whether the PVC of the encrypted EVS disk is created and whether the disk is encrypted.

last updated: 2025-10-29 10:02 UTC - commit: 221051222b674830e5a2ae5a9bedb20864cfc361