Image Security

SUSE Virtualization allows you to encrypt and decrypt virtual machine images. The encryption mechanism utilizes the Linux kernel module dm_crypt and the command-line utility cryptsetup.

Prerequisites

Prepare the following resources:

  • Source virtual machine image: You can upload or create an image using any of the supported methods.

    Do not upload an encrypted image.

  • Secret: A Kubernetes secret is used as the passphrase of dm_crypt. You must specify the value of the CRYPTO_KEY_VALUE field. All other fields are fixed.

    create encryption used secret

    Example of a secret:

    apiVersion: v1
kind: Secret
metadata:
  name: encryption
  namespace: default
data:
  CRYPTO_KEY_CIPHER: aes-xts-plain64
  CRYPTO_KEY_HASH: sha256
  CRYPTO_KEY_PROVIDER: secret
  CRYPTO_KEY_SIZE: 256
  CRYPTO_KEY_VALUE: "Your encryption passphrase"
  CRYPTO_PBKDF: argon2i

    You can create a secret in the system namespace using kubectl and the SUSE Virtualization UI (Edit as YAML feature). Resources in the system namespace are not displayed on the Secrets screen.

  • StorageClass: Images are encrypted using Longhorn, so required fields must be passed to the Longhorn CSI Driver. You can specify the encryption secret when creating a StorageClass. For more information, see Image StorageClass.

    create storage class

    Example of a StorageClass:

    allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: encryption
parameters:
  csi.storage.k8s.io/node-publish-secret-name: encryption
  csi.storage.k8s.io/node-publish-secret-namespace: default
  csi.storage.k8s.io/node-stage-secret-name: encryption
  csi.storage.k8s.io/node-stage-secret-namespace: default
  csi.storage.k8s.io/provisioner-secret-name: encryption
  csi.storage.k8s.io/provisioner-secret-namespace: default
  encrypted: "true"
  migratable: "true"
  numberOfReplicas: "3"
  staleReplicaTimeout: "2880"
provisioner: driver.longhorn.io
reclaimPolicy: Delete
volumeBindingMode: Immediate

    You can create a secret in the system namespace using kubectl and the SUSE Virtualization UI (Edit as YAML feature). Resources in the system namespace are not displayed on the Secrets screen.

Encrypt a Virtual Machine Image

  1. On the SUSE Virtualization UI, go to Images.

  2. Click Create.

  3. Specify a namespace and a name.

  4. On the Basics tab, select Encrypt and then select a source image.

    create encrypted image

  5. On the Storage tab, select a StorageClass that includes encryption-related fields.

    SUSE Virtualization passes the required fields to Longhorn.

    select encryption storage class

  6. Click Create.

Decrypt a Virtual Machine Image

  1. On the SUSE Virtualization UI, go to Images.

  2. Click Create.

  3. Specify a namespace and a name.

  4. On the Basics tab, select Decrypt and then select a source image.

    create decrypted image

  5. On the Storage tab, select harvester-longhorn (Default) or another commonly used StorageClass.

    SUSE Virtualization uses the StorageClass of the source image that you want to decrypt.

    select normal storage class

  6. Click Create.

Use an Image with Encrypted Volumes

You must select the image that you want to use when creating a virtual machine.

create

The Virtual Machines screen displays the following icons and messages when volumes used by virtual machines are encrypted.

case1
case2

To determine which volumes are encrypted, check the Volumes tab on the Virtual Machine details screen.

volume detail

Advanced Usage with SUSE Rancher Prime Integration

The secret is an unencrypted Base64-encoded string. To keep the secret safe, you can use projects and namespaces to isolate permissions. For more information, see Multi-Tenancy.

Limitations

You cannot perform the following actions:

  • Export a new image from an encrypted image

  • Download an encrypted image

  • Upload an encrypted image