All block storage devices created by the CSI driver can be optionally encrypted at rest.
Encryption support was added to CSI driver in version v1.1.0.
Encryption at rest can be enabled by defining encryption parameter in storage class
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: upcloud-encrypted-block-storage
namespace: kube-system
parameters:
tier: maxiops
encryption: data-at-rest
provisioner: storage.csi.upcloud.comOnce defined, use newly created storage class with storage that you want to encrypt
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: csi-pvc-encrypted
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: upcloud-encrypted-block-storage