4.2. Creating a storage class for persistent volume encryption

Use the following procedure to create an encryption enabled storage class using an external key management system (KMS) for persistent volume encryption. Persistent volume encryption is only available for RBD PVs.


  • The OpenShift Container Storage cluster is in Ready state.
  • On the external key management system (KMS),

    • Ensure that a policy with a token exists and the key value backend path in Vault is enabled. See Enabling key value and policy in Vault.
    • Ensure that you are using signed certificates on your Vault servers.
  • Create a secret in the tenant’s namespace as follows:

    • On the OpenShift Container Platform web console, navigate to Workloads → Secrets.
    • Click Create → Key/value secret.
    • Enter Secret Name as ceph-csi-kms-token.
    • Enter Key as token.
    • Enter Value. It is the token from Vault. You can either click Browse to select and upload the file containing the token or enter the token directly in the text box.
    • Click Create.

The token can be deleted only after all the encrypted PVCs using the ceph-csi-kms-token have been deleted.


  1. Navigate to StorageStorage Classes.
  2. Click Create Storage Class.
  3. Enter the storage class Name and Description.
  4. Select either Delete or Retain for the Reclaim Policy. By default, Delete is selected.
  5. Select RBD Provisioner openshift-storage.rbd.csi.ceph.com which is the plugin used for provisioning the persistent volumes.
  6. Select Storage Pool where the volume data will be stored from the list or create a new pool.
  7. Select Enable Encryption checkbox.

    1. Key Management Service Provider is set to Vault by default.
    2. Enter Vault Service Name, host Address of Vault server ('https://<hostname or ip>'), and Port number.
    3. Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration.

      1. Enter the key value secret path in Backend Path that is dedicated and unique to OpenShift Container Storage.
      2. (Optional) Enter TLS Server Name and Vault Enterprise Namespace.
      3. Provide CA Certificate, Client Certificate and Client Private Key by uploading the respective PEM encoded certificate file.
      4. Click Save.
    4. Click Connect.
  8. Review external key management service Connection details. To modify the information, click Change connection details and edit the fields.
  9. Click Create.


    Red Hat works with the technology partners to provide this documentation as a service to the customers. However, Red Hat does not provide support for the Hashicorp product. For technical assistance with this product, contact Hashicorp.

Next steps