apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: ncrypt-gold provisioner: com.openstorage/ncrypt parameters: backend: "pxd" encryption: "true" kms: "vault" reclaimPolicy: "cryptshred" # Deletion does not delete keys
Mastering Modern Windows Cryptography: Mastering NCryptOpenStorageProvider in the Era of Next-Gen Hardware Security ncryptopenstorageprovider new
: A bitmask parameter reserved for future modifications. It must be set strictly to 0 . Core Built-In Key Storage Providers apiVersion: storage
Each tenant gets their own StorageClass and unique encryption key. Even if a pod is misconfigured and a volume mount leaks, the operating system only sees ciphertext. The tenant's private key never touches the hypervisor. ncryptopenstorageprovider new