From 22ee7c0de5fe49423cfc1396addbb89875b6b73d Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Fri, 19 Feb 2021 13:41:30 +0100
Subject: [PATCH] doc: add implementation details

Update the emcrypted PVC implementation doc with references to the new
EncryptedKMS, DEKStore and VolumeEncryption types.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 docs/design/proposals/encrypted-pvc.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/design/proposals/encrypted-pvc.md b/docs/design/proposals/encrypted-pvc.md
index 21bc75013..f99aa4943 100644
--- a/docs/design/proposals/encrypted-pvc.md
+++ b/docs/design/proposals/encrypted-pvc.md
@@ -127,3 +127,20 @@ data:
 metadata:
   name: ceph-csi-encryption-kms-config
 ```
+
+### Implementation Details
+
+The main components that are used to support encrypted volumes:
+
+1. the `EncryptionKMS` interface
+  * an instance is configured per volume object (`rbdVolume.KMS`)
+  * used to authenticate with a master key or token
+  * can store the KEK (Key-Encryption-Key) for encrypting and decrypting the
+    DEKs (Data-Encryption-Key)
+1. the `DEKStore` interface
+  * saves and fetches the DEK (Data-Encryption-Key)
+  * can be provided by a KMS, or by other components (like `rbdVolume`)
+1. the `VolumeEncryption` type
+  * combines `EncryptionKMS` and `DEKStore` into a single place
+  * easy to configure from other components or subsystems
+  * provides a simple API for all KMS operations