Data encryption capabilities

This section provides an overview of the data protection capabilities available in MOSK, focusing primarily on data encryption. You will gain insights into different data encryption features of MOSK, understand the type of data they protect, where encryption occurs concerning cloud boundaries, and whether these mechanisms are available by default or require explicit enablement by the cloud operator or cloud user.

Data protection capabilities

Data protection capability

Data category

Data

Protection type

Protection boundaries

Availability

Encryption of cloud control plane communications

User, system

Cloud control plane traffic

In-flight

Cloud control plane including all the nodes

Disabled by default.
Enabled by the cloud operator.

Encryption of data transfer for the noVNC client

User

Instance VNC console access traffic

In-flight

Cloud user - Compute hypervisor

Disabled by default.
Enabled by the cloud operator.

Encryption of east-west tenant traffic

Application

Instance network traffic

In-flight

Private network

Disabled by default.
Enabled by the cloud operator.

Block storage volume encryption

Application

Volumes

In-flight and at-rest

Compute hypervisor - storage cluster

Disabled by default.
Enabled by the cloud operator.
Activated by the cloud user per each volume.

Ephemeral storage encryption

Application

Instances ephemeral storage

At-rest

Compute hypervisor

Disabled by default.
Enabled by the cloud operator per compute node.

Object storage server-side encryption

Application

Object data

In-flight and at-rest

Cloud API - Storage cluster

Enabled by default.
Activated by the cloud user per object bucket.

Encryption of live migration data

Application

Inside memory and ephemeral storage

In-flight

Source hypervisor - Target hypervisor

Disabled by default.
Enabled by the cloud operator.

API communications encryption

User

User communication with the cloud API

In-flight

Cloud user - Cloud API

Always enabled.

HashiCorp Vault as the backend for the Key Manager service

Application

Application secrets

At-rest

HashiCorp Vault service 0

Disabled by default.
Enabled by the cloud operator.

Hiding sensitive information in OpenStackDeployment

System

OpenStack configuration secrets

At-rest

MOSK underlay Kubernetes cluster

Always enabled.
Activated by the cloud operator per configuration secret.
0

Communication between HashiCort Vault and Key Manager is protected with TLS/SSL