From 5162d8bb298d4194a28f8de42f2512408fd04efe Mon Sep 17 00:00:00 2001
From: Jochen Munz <munz@rocketmail.com>
Date: Tue, 19 Dec 2023 09:02:07 +0100
Subject: [PATCH] docs: add instructions for LUKS encryption on Nomad (#550)

Explains how to enable LUKS encryption for hcloud volumes.

---------

Co-authored-by: Jonas L <jooola@users.noreply.github.com>
---
 docs/nomad/README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/nomad/README.md b/docs/nomad/README.md
index 0995da45..71eafcd7 100644
--- a/docs/nomad/README.md
+++ b/docs/nomad/README.md
@@ -285,3 +285,19 @@ job "mariadb" {
 ```sh
 nomad job run mariadb.hcl
 ```
+
+### Volumes encryption with LUKS
+
+To add encryption with LUKS you have to provide a secret containing the encryption passphrase as part of the volume definition. The secret must be named `encryption-passphrase`. The volume will then be LUKS encrypted on first use.
+
+```hcl
+# file: db-vol.hcl
+
+secrets {
+  "encryption-passphrase" = "<your_encryption_value>"
+}
+```
+
+
+> [!NOTE]
+> Consider using HashiCorp Vault for secrets management, see https://developer.hashicorp.com/nomad/docs/job-specification/template#vault-kv-api-v2
\ No newline at end of file