Skip to main content
apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
    # The disk selector expression.
    diskSelector:
        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
    maxSize: 50GiB # The maximum size of the volume, if not specified the volume can grow to the size of the

    # # The minimum size of the volume.
    # minSize: 2.5GiB

# # The encryption describes how the volume is encrypted.
# encryption:
#     provider: luks2 # Encryption provider to use for the encryption.
#     # Defines the encryption keys generation and storage method.
#     keys:
#         - slot: 0 # Key slot number for LUKS2 encryption.
#           # Key which value is stored in the configuration file.
#           static:
#             passphrase: exampleKey # Defines the static passphrase value.
#
#           # # KMS managed encryption key.
#           # kms:
#           #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#         - slot: 1 # Key slot number for LUKS2 encryption.
#           # KMS managed encryption key.
#           kms:
#             endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
#     cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
#     blockSize: 4096 # Defines the encryption sector size.
#     # Additional --perf parameters for the LUKS2 encryption.
#     options:
#         - no_read_workqueue
#         - no_write_workqueue
FieldTypeDescriptionValue(s)
namestringName of the volume.
provisioningProvisioningSpecThe provisioning describes how the volume is provisioned.
encryptionEncryptionSpecThe encryption describes how the volume is encrypted.

​
provisioning

ProvisioningSpec describes how the volume is provisioned.
FieldTypeDescriptionValue(s)
diskSelectorDiskSelectorThe disk selector expression.
growboolShould the volume grow to the size of the disk (if possible).
minSizeByteSizeThe minimum size of the volume.

Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB.
maxSizeByteSizeThe maximum size of the volume, if not specified the volume can grow to the size of the
disk.

Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB.

​
diskSelector

DiskSelector selects a disk for the volume.
FieldTypeDescriptionValue(s)
matchExpressionThe Common Expression Language (CEL) expression to match the disk.

​
encryption

EncryptionSpec represents volume encryption settings. 
encryption:
    provider: luks2 # Encryption provider to use for the encryption.
    # Defines the encryption keys generation and storage method.
    keys:
        - slot: 0 # Key slot number for LUKS2 encryption.
          # Key which value is stored in the configuration file.
          static:
            passphrase: exampleKey # Defines the static passphrase value.

          # # KMS managed encryption key.
          # kms:
          #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
        - slot: 1 # Key slot number for LUKS2 encryption.
          # KMS managed encryption key.
          kms:
            endpoint: https://example-kms-endpoint.com # KMS endpoint to Seal/Unseal the key.
    cipher: aes-xts-plain64 # Cipher to use for the encryption. Depends on the encryption provider.
    blockSize: 4096 # Defines the encryption sector size.

    # # Additional --perf parameters for the LUKS2 encryption.
    # options:
    #     - no_read_workqueue
    #     - no_write_workqueue
FieldTypeDescriptionValue(s)
providerEncryptionProviderTypeEncryption provider to use for the encryption.luks2
keys[]EncryptionKeyDefines the encryption keys generation and storage method.
cipherstringCipher to use for the encryption. Depends on the encryption provider. aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
keySizeuintDefines the encryption key length.
blockSizeuint64Defines the encryption sector size.
options[]stringAdditional β€”perf parameters for the LUKS2 encryption. no_read_workqueue
no_write_workqueue
same_cpu_crypt

​
keys[]

EncryptionKey represents configuration for disk encryption key.
FieldTypeDescriptionValue(s)
slotintKey slot number for LUKS2 encryption.
staticEncryptionKeyStaticKey which value is stored in the configuration file.
nodeIDEncryptionKeyNodeIDDeterministically generated key from the node UUID and PartitionLabel.
kmsEncryptionKeyKMSKMS managed encryption key.
tpmEncryptionKeyTPMEnable TPM based disk encryption.
lockToStateboolLock the disk encryption key to the random salt stored in the STATE partition. This is useful to prevent the volume from being unlocked if STATE partition is compromised or replaced. It is recommended to use this option with TPM disk encryption for non-STATE volumes.

​
static

EncryptionKeyStatic represents throw away key type.
FieldTypeDescriptionValue(s)
passphrasestringDefines the static passphrase value.

​
nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

​
kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server. 
encryption:
    keys:
        - kms:
            endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
FieldTypeDescriptionValue(s)
endpointstringKMS endpoint to Seal/Unseal the key.

​
tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
FieldTypeDescriptionValue(s)
checkSecurebootStatusOnEnrollboolCheck that Secureboot is enabled in the EFI firmware.
If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.
⌘I