Skip to main content

Enable Data Encryption

JuiceFS supports data encryption, in CSI Driver, you need to add private key information to Kubernetes Secret, in order to enable encryption for JuiceFS CSI Driver.

If your CSI Node version is not lower than 0.17.4, you can skip this step.

This feature demands CSI Node Service be started with --format-in-pod=true (available since 0.13.0, set as default since 0.17.4), check current installation and use below command to add this parameter if in need.

kubectl -n kube-system patch ds juicefs-csi-node --patch '{"spec": {"template": {"spec": {"containers": [{"name": "juicefs-plugin","args": ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--nodeid=$(NODE_NAME)", "--v=5", "--format-in-pod=true"]}]}}}}'
# Wait until JuiceFS CSI Node Service pods are re-created
kubectl -n kube-system get pod -l app.kubernetes.io/name=juicefs-csi-driver

Set private key configuration in Secret

Community edition

Refer to Enable Data Encryption At Rest to generate a private key, and then create a Kubernetes Secret:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: <NAME>
  metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
  storage: s3
  bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
  access-key: <ACCESS_KEY>
  secret-key: <SECRET_KEY>
  # Passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # Generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>

Cloud Service edition

Delegated Key Management

Refer to "Delegated Key Management" to enable encryption in JuiceFS Cloud Service, and then create a Kubernetes Secret using relevant credentials:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"

Self Managed Key

Refer to "Self Managed Key" to generate private key. After generating the private key, create a Kubernetes Secret as follows:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>
Follow us on X
Let's chat on Slack