Data encryption capabilities¶
This section provides an overview of the data protection capabilities available in MOSK, focusing primarily on data encryption. You will gain insights into different data encryption features of MOSK, understand the type of data they protect, where encryption occurs concerning cloud boundaries, and whether these mechanisms are available by default or require explicit enablement by the cloud operator or cloud user.
Data protection capability |
Data category |
Data |
Protection type |
Protection boundaries |
Availability |
---|---|---|---|---|---|
User, system |
Cloud control plane traffic |
In-flight |
Cloud control plane including all the nodes |
Disabled by default.
Enabled by the cloud operator.
|
|
User |
Instance VNC console access traffic |
In-flight |
Cloud user - Compute hypervisor |
Disabled by default.
Enabled by the cloud operator.
|
|
Application |
Instance network traffic |
In-flight |
Private network |
Disabled by default.
Enabled by the cloud operator.
|
|
Application |
Volumes |
In-flight and at-rest |
Compute hypervisor - storage cluster |
Disabled by default.
Enabled by the cloud operator.
Activated by the cloud user per each volume.
|
|
Ephemeral storage encryption |
Application |
Instances ephemeral storage |
At-rest |
Compute hypervisor |
Disabled by default.
Enabled by the cloud operator per compute node.
|
Object storage server-side encryption |
Application |
Object data |
In-flight and at-rest |
Cloud API - Storage cluster |
Enabled by default.
Activated by the cloud user per object bucket.
|
Application |
Inside memory and ephemeral storage |
In-flight |
Source hypervisor - Target hypervisor |
Disabled by default.
Enabled by the cloud operator.
|
|
API communications encryption |
User |
User communication with the cloud API |
In-flight |
Cloud user - Cloud API |
Always enabled. |
Application |
Application secrets |
At-rest |
HashiCorp Vault service 0 |
Disabled by default.
Enabled by the cloud operator.
|
|
System |
OpenStack configuration secrets |
At-rest |
MOSK underlay Kubernetes cluster |
Always enabled.
Activated by the cloud operator per configuration secret.
|
- 0
Communication between HashiCort Vault and Key Manager is protected with TLS/SSL