Creating Encrypted Storage on LINSTOR

Learn how to configure and use at-rest volume encryption for persistent volumes with LINSTOR

Cozystack administrators can enable encrypted storage by creating a custom StorageClass This guide explains how to set up encryption passphrase, create an encrypted storage class, and use it in applications.

LINSTOR provides at-rest encryption for persistent volumes using LUKS. This ensures that data stored on disk is encrypted and can only be accessed when the volume is mounted and unlocked.

Set Up Encryption in LINSTOR

To start using encryption, set up an encryption passphrase in LINSTOR.

First, set up an alias to access LINSTOR:

alias linstor='kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor'

Create an encryption passphrase:

linstor encryption create-passphrase

⚠️ Save the passphrase securely. If you lose the encryption passphrase, all encrypted data will be permanently lost.

You will need to enter master passphrase each time after restarting the LINSTOR Controller. To enter the master passphrase, use the following command:

linstor encryption enter-passphrase

Create Encrypted Storage Class

Create a StorageClass for encrypted storage:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: local-encrypted
provisioner: linstor.csi.linbit.com
parameters:
  linstor.csi.linbit.com/storagePool: "data"
  linstor.csi.linbit.com/layerList: "luks storage"
  linstor.csi.linbit.com/encryption: "true"
  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: replicated-encrypted
provisioner: linstor.csi.linbit.com
parameters:
  linstor.csi.linbit.com/storagePool: "data"
  linstor.csi.linbit.com/autoPlace: "3"
  linstor.csi.linbit.com/layerList: "drbd luks storage"
  linstor.csi.linbit.com/encryption: "true"
  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
volumeBindingMode: Immediate
allowVolumeExpansion: true

Now you can use the StorageClass to create PersistentVolumeClaims (PVCs) for encrypted storage.

Last modified 2025-08-07: [docs] Add guide on storage encryption with LINSTOR (3e8623c)