Per-PVC Encryption with Longhorn and CSI Secret Templates

Thu, 28 May 2026 00:00:00 +0000

This article documents how to configure a Longhorn StorageClass that encrypts every PVC with its own per-volume key, derived through CSI’s secret-template parameters, and how to provision the matching secrets so the keys are scoped to the application namespace.

1. What encryption Longhorn actually does

Longhorn 1.4+ supports LUKS encryption at the block device layer. When a PVC’s StorageClass declares encrypted: "true", Longhorn calls cryptsetup luksFormat on the underlying replica devices using a passphrase pulled from a Kubernetes Secret. The PVC is then exposed to the consuming Pod as an unencrypted filesystem — the kernel handles the encryption transparently through the device-mapper layer.

Use Longhorn with Talos 1.10 and userVolumes

Tue, 17 Jun 2025 07:06:26 +0000

When building a cluster, especially in a homelab, local storage is needed for application data. Especially for databases fast read and write is required. Offloading the workload to a NAS most of the time is slower. The solution I use is to provision on-node storage with Longhorn. Longhorn acts as a CSI and offers on-node storage, replication, backups and more.

As I am currently building a Talos cluster I need to integrate the longhorn CSI into the setup. This is not as straigt forward as with K3s oder K8s, as Talos has tighter security constraints and also needs additional plugins to handle SCSI - the underlying file system protocol used by longhorn. On top I am using Talhelper to allow a GitOps style usage of talosctl. The main advantage is the encryption of secrets used by talos config files with SOPS - something that I already use for Tofu and fluxCD.

Encryption on johanneskueber.com

Per-PVC Encryption with Longhorn and CSI Secret Templates

1. What encryption Longhorn actually does

Use Longhorn with Talos 1.10 and userVolumes