hetznercloud
How to check that volume is encrypted?
Hello everybody!
I've created a StorageClass like this:
apiVersion: v1
data:
encryption-passphrase: b2h5ZWVmaTJ1YTZlZWcyT29jYWlkYWh2MnBob0hhb2doYWhkYWg5bm9vM3BoYW9jZWlQb2h6YWg2bG9oc2F1R2VpbWljaGE2RWVIYTRpWWVuZ2VwaG81SG9obmdlaG91Y2lleGluOWFpbGVKZWkwc2h1NXNhaTNnYWhiYTR1S28=
kind: Secret
metadata:
name: encryption-secret
namespace: kube-system
type: Opaque
apiVersion: storage.k8s.io/v1
---
kind: StorageClass
metadata:
name: hcloud-volumes-encrypted
parameters:
csi.storage.k8s.io/node-publish-secret-name: encryption-secret
csi.storage.k8s.io/node-publish-secret-namespace: kube-system
provisioner: csi.hetzner.cloud
allowVolumeExpansion: true
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
And created a PersistentVolume like this:
apiVersion: v1
kind: PersistentVolume
metadata:
annotations:
pv.kubernetes.io/provisioned-by: csi.hetzner.cloud
volume.kubernetes.io/provisioner-deletion-secret-name: ""
volume.kubernetes.io/provisioner-deletion-secret-namespace: ""
creationTimestamp: "2025-09-18T14:10:40Z"
finalizers:
- external-provisioner.volume.kubernetes.io/finalizer
- kubernetes.io/pv-protection
- external-attacher/csi-hetzner-cloud
name: pvc-e0ae14a4-77b9-4347-bd82-d9d812632b6e
resourceVersion: "3269"
uid: a90c9ba8-b759-491a-8cac-4e4029ffd17e
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 10Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: monitoring-grafana
namespace: monitoring
resourceVersion: "2985"
uid: e0ae14a4-77b9-4347-bd82-d9d812632b6e
csi:
driver: csi.hetzner.cloud
fsType: ext4
nodePublishSecretRef:
name: encryption-secret
namespace: kube-system
volumeAttributes:
fsFormatOptions: ""
storage.kubernetes.io/csiProvisionerIdentity: 1758204494835-2543-csi.hetzner.cloud
volumeHandle: "103475275"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: csi.hetzner.cloud/location
operator: In
values:
- fsn1
persistentVolumeReclaimPolicy: Delete
storageClassName: hcloud-volumes-encrypted
volumeMode: Filesystem
status:
lastPhaseTransitionTime: "2025-09-18T14:10:40Z"
phase: Bound
But when I try to scan with kubescape, I see that volumes are not encrypted:
kubescape scan framework SOC2 --view=control
...
[control: Data in rest encryption - Persistent Volumes are encrypted (CC1.1,CC6.7) - https://hub.armosec.io/docs/c-0264] failed 😥
Description: Transport Layer Security (TLS) is used to protect the transmission of data sent over the internet to and from the organization's application server.
Failed:
PersistentVolume - pvc-050d817d-c062-4442-a9c5-843653fced3c
PersistentVolume - pvc-105dd6fe-8ef8-4538-bc91-d41bf80e9683
PersistentVolume - pvc-33f0ec5f-0b11-4c06-88fc-7dbaa9f1a545
PersistentVolume - pvc-3fb91d4b-af43-4d2f-89c3-d8161e1c3e97
PersistentVolume - pvc-74bdec10-d1ac-47c0-8f6c-f5e832cbe59b
PersistentVolume - pvc-e0ae14a4-77b9-4347-bd82-d9d812632b6e
Summary - Passed:2 Action Required:0 Failed:6 Total:8
Remediation: Enable encryption on the PersistentVolume using the configuration in StorageClass
Also I don't see any mentions of encryption in hcloud volume describe:
hcloud volume describe pvc-e0ae14a4-77b9-4347-bd82-d9d812632b6e
ID: 103475275
Name: pvc-e0ae14a4-77b9-4347-bd82-d9d812632b6e
Created: Thu Sep 18 17:10:31 EEST 2025 (5 days ago)
Size: 10 GB
Linux Device: /dev/disk/by-id/scsi-0HC_Volume_103475275
Location:
Name: fsn1
Description: Falkenstein DC Park 1
Country: DE
City: Falkenstein
Latitude: 50.476120
Longitude: 12.370071
Server:
ID: 108978628
Name: dev-worker0
Protection:
Delete: no
Labels:
managed-by: csi-driver
pv-name: pvc-e0ae14a4-77b9-4347-bd82-d9d812632b6e
pvc-name: monitoring-grafana
pvc-namespace: monitoring
So... How to make sure that the volume is encrypted when other instruments say that is not?
Hey,
the encryption is happening in the csi-driver via cryptsetup, so you won't see encryption information via hcloud volume describe ....
To check if the disk got mounted via cryptsetup, you can run hcloud volume list to check which server the volume is attached to. On the machine you could run lsblk -f to list block devices with filesystem infos. If you configured encryption correctly, you should see crypto_LUKS in the FSTYPE column:
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdb crypto_LUKS 1 0dd1b234-656b-4380-ad20-b8fa2baa1625
└─scsi-0HC_Volume_<VOL-ID> 9.7G 0% /var/lib/kubelet/pods/...
As you have directly created a PV, did you try to import an existing volume?
Thank you for the fast answer!
As you have directly created a PV, did you try to import an existing volume?
No, this volume was automatically created by Grafana STS (volumeClaimTemplate), so I didn't create it directly. Also I didn't try to import an existing volume.
To check if the disk got mounted via cryptsetup, you can run hcloud volume list to check which server the volume is attached to. On the machine you could run lsblk -f to list block devices with filesystem infos. If you configured encryption correctly, you should see crypto_LUKS in the FSTYPE column
Talos linux doesn't provide access to any kind of shell to run lsblk, so AFAIK the only information about disks that I can get is this and it doesn't contain FSTYPE:
talosctl -n 10.10.11.9 get disks
NODE NAMESPACE TYPE ID VERSION SIZE READ ONLY TRANSPORT ROTATIONAL WWID MODEL SERIAL
10.10.11.9 runtime Disk dm-0 4 11 GB false
10.10.11.9 runtime Disk dm-1 5 11 GB false
10.10.11.9 runtime Disk loop0 2 4.1 kB true
10.10.11.9 runtime Disk loop1 2 28 MB true
10.10.11.9 runtime Disk loop2 2 73 MB true
Hey, I am not working with Talos on regular basis. You could try to attach the volume to a regular Hetzner Cloud server and use cryptsetup to check for the LUKS headers: sudo cryptsetup isLuks /dev/sdX