diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 5cb3998a50..397c8efa05 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1239,9 +1239,6 @@ Topics: - Name: Allowing JavaScript-based access to the API server from additional hosts File: allowing-javascript-access-api-server Distros: openshift-enterprise,openshift-origin -- Name: Encrypting etcd data - File: encrypting-etcd - Distros: openshift-enterprise,openshift-origin - Name: Scanning pods for vulnerabilities File: pod-vulnerability-scan Distros: openshift-enterprise,openshift-origin @@ -2449,7 +2446,7 @@ Topics: File: replace-unhealthy-etcd-member - Name: Disaster recovery File: etcd-disaster-recovery -- Name: Encrypting etcd data +- Name: Enabling etcd encryption File: etcd-encrypt - Name: Setting up fault-tolerant control planes that span data centers File: etcd-fault-tolerant diff --git a/etcd/etcd-encrypt.adoc b/etcd/etcd-encrypt.adoc index cacd1c721f..cde1b37dde 100644 --- a/etcd/etcd-encrypt.adoc +++ b/etcd/etcd-encrypt.adoc @@ -1,7 +1,20 @@ :_mod-docs-content-type: ASSEMBLY [id="etcd-encrypt"] include::_attributes/common-attributes.adoc[] -= Encrypting etcd data += Enabling etcd encryption :context: etcd-encrypt -// This assembly will contain modules to provide information about encrypting etcd. \ No newline at end of file +toc::[] + +// About etcd encryption +include::modules/about-etcd-encryption.adoc[leveloffset=+1] + +// Supported encryption types +include::modules/etcd-encryption-types.adoc[leveloffset=+1] + +// Enabling etcd encryption +include::modules/enabling-etcd-encryption.adoc[leveloffset=+1] + +// Disabling etcd encryption +include::modules/disabling-etcd-encryption.adoc[leveloffset=+1] + diff --git a/hosted_control_planes/index.adoc b/hosted_control_planes/index.adoc index 13e436e66b..09f8254068 100644 --- a/hosted_control_planes/index.adoc +++ b/hosted_control_planes/index.adoc @@ -13,7 +13,7 @@ include::modules/hcp-ocp-differences.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../security/encrypting-etcd.adoc#encrypting-etcd[Enabling etcd encryption] +* xref:../etcd/etcd-encrypt.adoc#etcd-encrypt[Enabling etcd encryption] include::modules/hcp-mce-acm-relationship-intro.adoc[leveloffset=+1] include::modules/hcp-acm-discover.adoc[leveloffset=+2] diff --git a/installing/overview/installing-fips.adoc b/installing/overview/installing-fips.adoc index 7a26816837..da8e63baba 100644 --- a/installing/overview/installing-fips.adoc +++ b/installing/overview/installing-fips.adoc @@ -69,7 +69,7 @@ Although the {product-title} cluster itself uses FIPS validated or Modules In Pr [id="installation-about-fips-components-etcd_{context}"] === etcd -To ensure that the secrets that are stored in etcd use FIPS validated or Modules In Process encryption, boot the node in FIPS mode. After you install the cluster in FIPS mode, you can xref:../../security/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the FIPS-approved `aes cbc` cryptographic algorithm. +To ensure that the secrets that are stored in etcd use FIPS validated or Modules In Process encryption, boot the node in FIPS mode. After you install the cluster in FIPS mode, you can xref:../../etcd/etcd-encrypt.adoc#etcd-encrypt[encrypt the etcd data] by using the FIPS-approved `aes cbc` cryptographic algorithm. [id="installation-about-fips-components-storage_{context}"] === Storage @@ -110,4 +110,4 @@ To enable FIPS mode for your cluster, you must run the installation program from If you are using Azure File storage, you cannot enable FIPS mode. ==== -To apply `AES CBC` encryption to your etcd data store, follow the xref:../../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster. +To apply `AES CBC` encryption to your etcd data store, follow the xref:../../etcd/etcd-encrypt.adoc#etcd-encrypt[Encrypting etcd data] process after you install your cluster. diff --git a/modules/about-etcd-encryption.adoc b/modules/about-etcd-encryption.adoc index b7f2912136..fc4af27588 100644 --- a/modules/about-etcd-encryption.adoc +++ b/modules/about-etcd-encryption.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * security/encrypting-etcd.adoc // * post_installation_configuration/cluster-tasks.adoc +// * etcd/etcd-encrypt.adoc :_mod-docs-content-type: CONCEPT [id="about-etcd_{context}"] @@ -24,4 +24,4 @@ When you enable etcd encryption, encryption keys are created. You must have thes Etcd encryption only encrypts values, not keys. Resource types, namespaces, and object names are unencrypted. If etcd encryption is enabled during a backup, the `__static_kuberesources_.tar.gz__` file contains the encryption keys for the etcd snapshot. For security reasons, store this file separately from the etcd snapshot. However, this file is required to restore a previous state of etcd from the respective etcd snapshot. -==== +==== \ No newline at end of file diff --git a/modules/disabling-etcd-encryption.adoc b/modules/disabling-etcd-encryption.adoc index a561e23ad2..a106d6c677 100644 --- a/modules/disabling-etcd-encryption.adoc +++ b/modules/disabling-etcd-encryption.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * security/encrypting-etcd.adoc // * post_installation_configuration/cluster-tasks.adoc +// * etcd/etcd-encrypt.adoc :_mod-docs-content-type: PROCEDURE [id="disabling-etcd-encryption_{context}"] diff --git a/modules/enabling-etcd-encryption.adoc b/modules/enabling-etcd-encryption.adoc index e14f6708ce..c257d79df7 100644 --- a/modules/enabling-etcd-encryption.adoc +++ b/modules/enabling-etcd-encryption.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * security/encrypting-etcd.adoc // * post_installation_configuration/cluster-tasks.adoc +// * etcd/etcd-encrypt.adoc :_mod-docs-content-type: PROCEDURE [id="enabling-etcd-encryption_{context}"] diff --git a/modules/etcd-encryption-types.adoc b/modules/etcd-encryption-types.adoc index 13d1eec705..24a27db6c7 100644 --- a/modules/etcd-encryption-types.adoc +++ b/modules/etcd-encryption-types.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * security/encrypting-etcd.adoc // * post_installation_configuration/cluster-tasks.adoc +// * etcd/etcd-encrypt.adoc :_mod-docs-content-type: CONCEPT [id="etcd-encryption-types_{context}"] diff --git a/security/encrypting-etcd.adoc b/security/encrypting-etcd.adoc deleted file mode 100644 index 6bb2c3cb41..0000000000 --- a/security/encrypting-etcd.adoc +++ /dev/null @@ -1,19 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -[id="encrypting-etcd"] -= Encrypting etcd data -include::_attributes/common-attributes.adoc[] -:context: encrypting-etcd - -toc::[] - -// About etcd encryption -include::modules/about-etcd-encryption.adoc[leveloffset=+1] - -// Supported encryption types -include::modules/etcd-encryption-types.adoc[leveloffset=+1] - -// Enabling etcd encryption -include::modules/enabling-etcd-encryption.adoc[leveloffset=+1] - -// Disabling etcd encryption -include::modules/disabling-etcd-encryption.adoc[leveloffset=+1] diff --git a/security/index.adoc b/security/index.adoc index c68a66f5b2..221b16f295 100644 --- a/security/index.adoc +++ b/security/index.adoc @@ -61,7 +61,7 @@ You can also review more details about the types of certificates used by the clu [id="encrypting-data"] === Encrypting data -You can xref:../security/encrypting-etcd.adoc#encrypting-etcd[enable etcd encryption] for your cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. +You can xref:../etcd/etcd-encrypt.adoc#etcd-encrypt[enable etcd encryption] for your cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. [discrete] [id="vulnerability-scanning"]