Skip to main content

Persistent Volume encryption at rest and daily snapshots

This guide will give you an overview of how to set up encryption at rest for “Persistent Volumes (PVs)” and take daily snapshots to back up a PV.

Encrypting Persistent Volumes

To enable encryption at rest on a PV, set the storageClassName attribute of your PersistentVolumeClaim to gp3. This Storage Class sets encrypted: "true" on the underlying EBS volume. This is also the default storage class for the PersistentVolumeClaim if you don’t specify one.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: myclaim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: gp3
  selector:
    matchLabels:
      release: "stable"
    matchExpressions:
      - {key: environment, operator: In, values: [dev]}

In the above PVC example, the cluster will dynamically provision a Persistent Volume for the PVC, using the gp3 The Amazon EBS CSI, which will cause the PV to be encrypted using the AWS Key Management Service (KMS).

Snapshots to back up Persistent Volumes

You can take snapshots to back up Persistent Volumes using the snapshot lifecycle policy.

The example snapshot lifecycle policy below will create a snapshot of all tagged volumes every 24 hours starting at 05:00 UTC. As per the retain_rule, a maximum of 30 snapshots of the target volume will be retained.

Using the example below, create a “Data Lifecycle Management (DLM)” file called dlm.tf in your namespaces resources folder in the environments repo. Amend the tags_to_add and replace <pvc-name> with the name of your PersistentVolumeClaim.

Amazon Data Lifecycle Manager uses target_tags to identify the EBS volumes to back up, so please make sure you update the target_tags with the right PVC name.

resource "aws_dlm_lifecycle_policy" "persistentvolume_backup" {
  description        = "PersistentVolume lifecycle policy for <pvc-name>"
  execution_role_arn = "arn:aws:iam::754256621582:role/dlm-lifecycle-role"
  state              = "ENABLED"

  policy_details {
    resource_types = ["VOLUME"]

    schedule {
      name = "Daily 30 days persistentvolume snapshots for <pvc-name>"

      create_rule {
        interval      = 24
        interval_unit = "HOURS"
        times         = ["05:00"]
      }

      retain_rule {
        count = 30
      }

      tags_to_add = {
        SnapshotCreator  = "DLM"
        application      = "test-application"
        environment-name = "testenvname"
        namespace        = "my-namespace"
        team_name        = "example-repo"
        business-unit    = "example-bu"
        application      = "exampleapp"
        is-production    = "false"
      }

      copy_tags = true
    }

    target_tags = {
      "kubernetes.io/created-for/pvc/name" = "<pvc-name>"
    }
  }
}


resource "kubernetes_secret" "persistentvolume_backup_sec" {
  metadata {
    name      = "persistentvolume-backup-output"
    namespace = "namespace-name"
  }

  data = {
    persistentvolume_backup_id = aws_dlm_lifecycle_policy.persistentvolume_backup.id
  }
}

Restoring a Persistent Volume from a snapshot

If you want to restore a PV from a snapshot, speak to the cloud-platform team in the #ask-cloud-platform channel.

This page was last reviewed on 27 January 2025. It needs to be reviewed again on 27 July 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 27 July 2025 by the page owner #cloud-platform. This might mean the content is out of date.