Skip to main content

Enable Data Encryption

JuiceFS supports data encryption, in CSI Driver, you need to add private key information to Kubernetes Secret, in order to enable encryption for JuiceFS CSI Driver.

Set private key configuration in Secret

Community edition

Refer to Enable Data Encryption At Rest to generate a private key, and then create a Kubernetes Secret:

apiVersion: v1
kind: Secret
metadata:
name: juicefs-secret
type: Opaque
stringData:
name: <NAME>
metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
storage: s3
bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
access-key: <ACCESS_KEY>
secret-key: <SECRET_KEY>
# Passphrase for private key
envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
# Generated private key string
encrypt_rsa_key: <PRIVATE_KEY>

Cloud Service edition

Delegated Key Management

Refer to "Delegated Key Management" to enable encryption in JuiceFS Cloud Service, and then create a Kubernetes Secret using relevant credentials:

apiVersion: v1
kind: Secret
metadata:
name: juicefs-secret
type: Opaque
stringData:
name: ${JUICEFS_NAME}
token: ${JUICEFS_TOKEN}
access-key: ${JUICEFS_ACCESSKEY}
secret-key: ${JUICEFS_SECRETKEY}
# passphrase for private key
envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"

Self Managed Key

Refer to "Self Managed Key" to generate private key. After generating the private key, create a Kubernetes Secret as follows:

apiVersion: v1
kind: Secret
metadata:
name: juicefs-secret
type: Opaque
stringData:
name: ${JUICEFS_NAME}
token: ${JUICEFS_TOKEN}
access-key: ${JUICEFS_ACCESSKEY}
secret-key: ${JUICEFS_SECRETKEY}
# passphrase for private key
envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
# generated private key string
encrypt_rsa_key: <PRIVATE_KEY>