PX-Security on an existing cluster

This page guides you to enable PX-Security on an existing cluster with no PX-Security setup.

Secure your existing cluster

Perform the following steps to enable PX-Security:

  1. Enable PX-Security in Portworx on each node. You can refer to the following sections depending on your deployment:

    Note: To completely secure the cluster, you must enable security on all nodes participating in the Portworx cluster. Do not mix the nodes with enabled and disabled PX-Security.
  2. Generate a new cluster token. Run the following command to generate a new cluster token for pairing and migrating your clusters:

    pxctl cluster token reset

Security parameters

The following parameters are required and must be provided to Portworx to enable PX-Security.

Environment variables

Provide sensitive information like shared secrets as environment variables. These variables can be provided by secrets through your container orchestration system.

Environment Variable Required? Description
PORTWORX_AUTH_SYSTEM_KEY Yes Shared secret used by Portworx to generate tokens for cluster communications
PORTWORX_AUTH_SYSTEM_APPS_KEY Yes when using Stork Share secret used by Stork to generate tokens to communicate with Portworx. The shared secret must match the value of PX_SHARED_SECRET environment variable in Stork.
PORTWORX_AUTH_JWT_SHAREDSECRET Optional Self-generated token shared secret, if any


For non-sensitive information, use thepx-runccommand as command-line parameters with the following arguments:

Name Description
-jwt_issuer <issuer> JSON Web Token issuer (e.g. openstorage.io). This is the token issuer for your self-signed tokens. It must match the iss value in token claims
-jwt_rsa_pubkey_file <file path> JSON Web Token RSA Public file path
-jwt_ecds_pubkey_file <file path> JSON Web Token ECDS Public file path
-username_claim <claim> Name of the claim in the token to be used as the unique ID of the user ( can be sub, email or name, default: sub)

Last edited: Friday, Oct 28, 2022