mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
134 lines
4.5 KiB
Plaintext
134 lines
4.5 KiB
Plaintext
//Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="preparing-disk-encryption-sets_{context}"]
|
|
= Preparing an {azure-short} Disk Encryption Set
|
|
|
|
The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in {azure-short} and provide the key to the installer.
|
|
|
|
.Procedure
|
|
|
|
. Set the environment variables for the {azure-short} resource group by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export RESOURCEGROUP="<resource_group>" \// <1>
|
|
LOCATION="<location>" <2>
|
|
----
|
|
<1> Specifies the name of the {azure-short} resource group where the Disk Encryption Set and encryption key are to be created. To prevent losing access to your keys when you destroy the cluster, create the Disk Encryption Set in a separate resource group from the one where you install the cluster.
|
|
<2> Specifies the {azure-short} location where the resource group is to be created.
|
|
|
|
. Set the environment variables for the {azure-short} Key Vault and Disk Encryption Set by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export KEYVAULT_NAME="<keyvault_name>" \// <1>
|
|
KEYVAULT_KEY_NAME="<keyvault_key_name>" \// <2>
|
|
DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>" <3>
|
|
----
|
|
<1> Specifies the name of the {azure-short} Key Vault to be created.
|
|
<2> Specifies the name of the encryption key to be created.
|
|
<3> Specifies the name of the disk encryption set to be created.
|
|
|
|
. Set the environment variable for the ID of your {azure-short} service principal by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export CLUSTER_SP_ID="<service_principal_id>" <1>
|
|
----
|
|
<1> Specifies the ID of the service principal to be used for installation.
|
|
|
|
. Enable host-level encryption in {azure-short} by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az provider register -n Microsoft.Compute
|
|
----
|
|
|
|
. Create an {azure-short} resource group to hold the disk encryption set and associated resources by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az group create --name $RESOURCEGROUP --location $LOCATION
|
|
----
|
|
|
|
. Create an {azure-short} Key Vault by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \
|
|
--enable-purge-protection true
|
|
----
|
|
|
|
. Create an encryption key in the key vault by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \
|
|
--protection software
|
|
----
|
|
|
|
. Capture the ID of the key vault by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
|
|
----
|
|
|
|
. Capture the key URL in the key vault by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \
|
|
$KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)
|
|
----
|
|
|
|
. Create a disk encryption set by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
|
|
$RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
|
|
----
|
|
|
|
. Grant the `DiskEncryptionSet` resource access to the key vault by running the following commands:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
|
|
$RESOURCEGROUP --query "[identity.principalId]" -o tsv)
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
|
|
$DES_IDENTITY --key-permissions wrapkey unwrapkey get
|
|
----
|
|
|
|
. Grant the {azure-short} service principal permission to read the Disk Encryption Set by running the following commands:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
|
|
$RESOURCEGROUP --query "[id]" -o tsv)
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \// <1>
|
|
--scope $DES_RESOURCE_ID -o jsonc
|
|
----
|
|
<1> Specifies an {azure-short} role with read permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions.
|