https://johanneskueber.com/tags/luks/Recent content in Luks on johanneskueber.comHugoen_USThu, 28 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-28-longhorn-per-pvc-encryption/Thu, 28 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-28-longhorn-per-pvc-encryption/<p>This article documents how to configure a Longhorn <code>StorageClass</code> that encrypts every PVC with its own per-volume key, derived through CSI&rsquo;s secret-template parameters, and how to provision the matching secrets so the keys are scoped to the application namespace.</p> <hr> <h2 id="1-what-encryption-longhorn-actually-does">1. What encryption Longhorn actually does</h2> <p>Longhorn 1.4+ supports LUKS encryption at the block device layer. When a PVC&rsquo;s StorageClass declares <code>encrypted: &quot;true&quot;</code>, Longhorn calls <code>cryptsetup luksFormat</code> on the underlying replica devices using a passphrase pulled from a Kubernetes Secret. The PVC is then exposed to the consuming Pod as an unencrypted filesystem — the kernel handles the encryption transparently through the device-mapper layer.</p>