Enable Data Encryption

JuiceFS supports data encryption, in CSI Driver, you need to add private key information to Kubernetes Secret, in order to enable encryption for JuiceFS CSI Driver.

Set private key configuration in Secret

Community edition

Refer to Enable Data Encryption At Rest to generate a private key, and then create a Kubernetes Secret:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: <NAME>
  metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
  storage: s3
  bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
  access-key: <ACCESS_KEY>
  secret-key: <SECRET_KEY>
  # Passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # Generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>

Cloud Service edition

Delegated Key Management

Refer to "Delegated Key Management" to enable encryption in JuiceFS Cloud Service, and then create a Kubernetes Secret using relevant credentials:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"

Self Managed Key

Refer to "Self Managed Key" to generate private key. After generating the private key, create a Kubernetes Secret as follows:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>

Set private key configuration in Secret​

Community edition​

Cloud Service edition​

Delegated Key Management​

Self Managed Key​

Set private key configuration in Secret

Community edition

Cloud Service edition

Delegated Key Management

Self Managed Key