Automated Encryption of Kubernetes Block Storage for Trusted Research Environments (TREs)
Wednesday, June 24, 2026 3:45 PM to 5:15 PM · 1 hr. 30 min. (Europe/Berlin)
Foyer D-G - 2nd Floor
Project Poster
Storage Technologies and Architectures
Information
Poster is on display.
Trusted Research Environments (TREs) are designed to enable secure analysis of sensitive data such as health, personal data within a controlled computing platforms. Ensuring encryption of data at rest is a core TRE requirement and supports compliance to regulations standards such as GDPR, NHS guidelines, NCSC Cyber Assessment Framework (CAF), and SATRE expectations.
In this project we address the challenge of automating and enforcing the encryption in a volume based Kubernetes storage backend such as OpenStack Cinder in a TRE infrastructure. We introduce a Kubernetes Operator that detects the creation of a persistent volume claim (PVC) using Python Kopf controlled loop. Encryption key are managed securely using HashiCorp vault for key rotation. We demonstrate this approach by using a declarative and automated encryptions as part of Kubernetes workflow which abstracts the complexity of encryption from the user. This work shows a practical and
reusable architecture for storage encryption in a containerized research environment.
Trusted Research Environments (TREs) are designed to enable secure analysis of sensitive data such as health, personal data within a controlled computing platforms. Ensuring encryption of data at rest is a core TRE requirement and supports compliance to regulations standards such as GDPR, NHS guidelines, NCSC Cyber Assessment Framework (CAF), and SATRE expectations.
In this project we address the challenge of automating and enforcing the encryption in a volume based Kubernetes storage backend such as OpenStack Cinder in a TRE infrastructure. We introduce a Kubernetes Operator that detects the creation of a persistent volume claim (PVC) using Python Kopf controlled loop. Encryption key are managed securely using HashiCorp vault for key rotation. We demonstrate this approach by using a declarative and automated encryptions as part of Kubernetes workflow which abstracts the complexity of encryption from the user. This work shows a practical and
reusable architecture for storage encryption in a containerized research environment.
Format
on-demandon-site
