Enable Data Encryption

JuiceFS supports data encryption, in CSI Driver, you need to add private key information to Kubernetes Secret, in order to enable encryption for JuiceFS CSI Driver.

This feature demands CSI Node Service be started with --format-in-pod=true (available since 0.13.0), check current installation and use below command to add this parameter if in need.

kubectl -n kube-system patch ds juicefs-csi-node --patch '{"spec": {"template": {"spec": {"containers": [{"name": "juicefs-plugin","args": ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--nodeid=$(NODE_NAME)", "--v=5", "--format-in-pod=true"]}]}}}}'
# Wait until JuiceFS CSI Node Service pods are re-created
kubectl -n kube-system get pod -l app.kubernetes.io/name=juicefs-csi-driver

Set private key configuration in Secret

Community edition

Refer to Enable Data Encryption At Rest to generate a private key, and then create a Kubernetes Secret:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: <NAME>
  metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
  storage: s3
  bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
  access-key: <ACCESS_KEY>
  secret-key: <SECRET_KEY>
  # Passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # Generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>

Cloud Service edition

Delegated Key Management

Refer to "Delegated Key Management" to enable encryption in JuiceFS Cloud Service, and then create a Kubernetes Secret using relevant credentials:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"

Self Managed Key

Refer to "Self Managed Key" to generate private key. After generating the private key, create a Kubernetes Secret as follows:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: ${JUICEFS_NAME}
  token: ${JUICEFS_TOKEN}
  access-key: ${JUICEFS_ACCESSKEY}
  secret-key: ${JUICEFS_SECRETKEY}
  # passphrase for private key
  envs: "{JFS_RSA_PASSPHRASE: <PASSPHRASE>}"
  # generated private key string
  encrypt_rsa_key: <PRIVATE_KEY>

Enable CSI related feature​

Set private key configuration in Secret​

Community edition​

Cloud Service edition​

Delegated Key Management​

Self Managed Key​

Enable CSI related feature

Set private key configuration in Secret

Community edition

Cloud Service edition

Delegated Key Management

Self Managed Key