chore: show securtiystate on dashboard

Show Talos SecurityState and MountStatus on dashboard. Fixes: #7675 Signed-off-by: Noel Georgi <git@frezbo.dev>
2026-03-20 04:03:37 +00:00 · 2023-09-06 01:45:12 +05:30
parent b485108740
commit 3d2dad4e69
11 changed files with 239 additions and 63 deletions
--- a/api/resource/definitions/runtime/runtime.proto
+++ b/api/resource/definitions/runtime/runtime.proto
@@ -71,6 +71,7 @@ message MountStatusSpec {
  string filesystem_type = 3;
  repeated string options = 4;
  bool encrypted = 5;
+  repeated string encryption_providers = 6;
 }

 // PlatformMetadataSpec describes platform metadata properties.
--- a/internal/pkg/dashboard/components/talosinfo.go
+++ b/internal/pkg/dashboard/components/talosinfo.go
@@ -5,11 +5,14 @@
 package components

 import (
+	"fmt"
 	"strconv"
+	"strings"

 	"github.com/rivo/tview"

 	"github.com/siderolabs/talos/internal/pkg/dashboard/resourcedata"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/cluster"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
@@ -17,12 +20,15 @@ import (
 )

 type talosInfoData struct {
-	uuid            string
-	clusterName     string
-	stage           string
-	ready           string
-	typ             string
-	numMachinesText string
+	uuid                          string
+	clusterName                   string
+	stage                         string
+	ready                         string
+	typ                           string
+	numMachinesText               string
+	secureBootState               string
+	statePartitionMountStatus     string
+	ephemeralPartitionMountStatus string

 	machineIDSet map[string]struct{}
 }
@@ -93,6 +99,28 @@ func (widget *TalosInfo) updateNodeData(data resourcedata.Data) {
 			nodeData.stage = formatStatus(res.TypedSpec().Stage.String())
 			nodeData.ready = formatStatus(res.TypedSpec().Status.Ready)
 		}
+	case *runtime.SecurityState:
+		if data.Deleted {
+			nodeData.secureBootState = notAvailable
+		} else {
+			nodeData.secureBootState = formatStatus(res.TypedSpec().SecureBoot)
+		}
+	case *runtime.MountStatus:
+		switch res.Metadata().ID() {
+		case constants.StatePartitionLabel:
+			if data.Deleted {
+				nodeData.statePartitionMountStatus = notAvailable
+			} else {
+				nodeData.statePartitionMountStatus = mountStatus(res.TypedSpec().Encrypted, res.TypedSpec().EncryptionProviders)
+			}
+		case constants.EphemeralPartitionLabel:
+			if data.Deleted {
+				nodeData.ephemeralPartitionMountStatus = notAvailable
+			} else {
+				nodeData.ephemeralPartitionMountStatus = mountStatus(res.TypedSpec().Encrypted, res.TypedSpec().EncryptionProviders)
+			}
+		}
+
 	case *config.MachineType:
 		if data.Deleted {
 			nodeData.typ = notAvailable
@@ -114,13 +142,16 @@ func (widget *TalosInfo) getOrCreateNodeData(node string) *talosInfoData {
 	nodeData, ok := widget.nodeMap[node]
 	if !ok {
 		nodeData = &talosInfoData{
-			uuid:            notAvailable,
-			clusterName:     notAvailable,
-			stage:           notAvailable,
-			ready:           notAvailable,
-			typ:             notAvailable,
-			numMachinesText: notAvailable,
-			machineIDSet:    make(map[string]struct{}),
+			uuid:                          notAvailable,
+			clusterName:                   notAvailable,
+			stage:                         notAvailable,
+			ready:                         notAvailable,
+			typ:                           notAvailable,
+			numMachinesText:               notAvailable,
+			secureBootState:               notAvailable,
+			statePartitionMountStatus:     notAvailable,
+			ephemeralPartitionMountStatus: notAvailable,
+			machineIDSet:                  make(map[string]struct{}),
 		}

 		widget.nodeMap[node] = nodeData
@@ -158,8 +189,28 @@ func (widget *TalosInfo) redraw() {
 				Name:  "MACHINES",
 				Value: data.numMachinesText,
 			},
+			{
+				Name:  "SECUREBOOT",
+				Value: data.secureBootState,
+			},
+			{
+				Name:  "STATE",
+				Value: data.statePartitionMountStatus,
+			},
+			{
+				Name:  "EPHEMERAL",
+				Value: data.ephemeralPartitionMountStatus,
+			},
 		},
 	}

 	widget.SetText(fields.String())
 }
+
+func mountStatus(encrypted bool, providers []string) string {
+	if !encrypted {
+		return "[green]OK[-]"
+	}
+
+	return fmt.Sprintf("[green]OK - encrypted[-] (%s)", strings.Join(providers, ","))
+}
--- a/internal/pkg/dashboard/resourcedata/resourcedata.go
+++ b/internal/pkg/dashboard/resourcedata/resourcedata.go
@@ -19,12 +19,14 @@ import (
 	"google.golang.org/grpc/metadata"

 	"github.com/siderolabs/talos/pkg/machinery/client"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/cluster"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
 	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
+	"github.com/siderolabs/talos/pkg/machinery/resources/v1alpha1"
 )

 // Data contains a resource, whether it is deleted and the node it came from.
@@ -114,6 +116,18 @@ func (source *Source) runResourceWatch(ctx context.Context, node string) error {
 		return err
 	}

+	if err := source.COSI.Watch(ctx, runtime.NewSecurityStateSpec(v1alpha1.NamespaceName).Metadata(), eventCh); err != nil {
+		return err
+	}
+
+	if err := source.COSI.Watch(ctx, runtime.NewMountStatus(v1alpha1.NamespaceName, constants.StatePartitionLabel).Metadata(), eventCh); err != nil {
+		return err
+	}
+
+	if err := source.COSI.Watch(ctx, runtime.NewMountStatus(v1alpha1.NamespaceName, constants.EphemeralPartitionLabel).Metadata(), eventCh); err != nil {
+		return err
+	}
+
 	if err := source.COSI.Watch(ctx, config.NewMachineType().Metadata(), eventCh); err != nil {
 		return err
 	}
--- a/internal/pkg/mount/system.go
+++ b/internal/pkg/mount/system.go
@@ -13,6 +13,7 @@ import (
 	"sync"

 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/maps"
 	"github.com/siderolabs/go-blockdevice/blockdevice"
 	"github.com/siderolabs/go-blockdevice/blockdevice/filesystem"
 	"golang.org/x/sys/unix"
@@ -235,6 +236,25 @@ func SystemPartitionMount(ctx context.Context, r runtime.Runtime, logger *log.Lo
 	mountStatus.TypedSpec().FilesystemType = mountpoint.Fstype()
 	mountStatus.TypedSpec().Encrypted = encrypted

+	if encrypted {
+		encryptionProviders := make(map[string]struct{})
+
+		for _, cfg := range o.Encryption.Keys() {
+			switch {
+			case cfg.Static() != nil:
+				encryptionProviders[cfg.Static().String()] = struct{}{}
+			case cfg.NodeID() != nil:
+				encryptionProviders[cfg.NodeID().String()] = struct{}{}
+			case cfg.KMS() != nil:
+				encryptionProviders[cfg.KMS().String()] = struct{}{}
+			case cfg.TPM() != nil:
+				encryptionProviders[cfg.TPM().String()] = struct{}{}
+			}
+		}
+
+		mountStatus.TypedSpec().EncryptionProviders = maps.Keys(encryptionProviders)
+	}
+
 	// ignore the error if the MountStatus already exists, as many mounts are silently skipped with the flag SkipIfMounted
 	if err = r.State().V1Alpha2().Resources().Create(context.Background(), mountStatus); err != nil && !state.IsConflictError(err) {
 		return fmt.Errorf("error creating mount status resource: %w", err)
--- a/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go
+++ b/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go
@@ -566,11 +566,12 @@ type MountStatusSpec struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Source         string   `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
-	Target         string   `protobuf:"bytes,2,opt,name=target,proto3" json:"target,omitempty"`
-	FilesystemType string   `protobuf:"bytes,3,opt,name=filesystem_type,json=filesystemType,proto3" json:"filesystem_type,omitempty"`
-	Options        []string `protobuf:"bytes,4,rep,name=options,proto3" json:"options,omitempty"`
-	Encrypted      bool     `protobuf:"varint,5,opt,name=encrypted,proto3" json:"encrypted,omitempty"`
+	Source              string   `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
+	Target              string   `protobuf:"bytes,2,opt,name=target,proto3" json:"target,omitempty"`
+	FilesystemType      string   `protobuf:"bytes,3,opt,name=filesystem_type,json=filesystemType,proto3" json:"filesystem_type,omitempty"`
+	Options             []string `protobuf:"bytes,4,rep,name=options,proto3" json:"options,omitempty"`
+	Encrypted           bool     `protobuf:"varint,5,opt,name=encrypted,proto3" json:"encrypted,omitempty"`
+	EncryptionProviders []string `protobuf:"bytes,6,rep,name=encryption_providers,json=encryptionProviders,proto3" json:"encryption_providers,omitempty"`
 }

 func (x *MountStatusSpec) Reset() {
@@ -640,6 +641,13 @@ func (x *MountStatusSpec) GetEncrypted() bool {
 	return false
 }

+func (x *MountStatusSpec) GetEncryptionProviders() []string {
+	if x != nil {
+		return x.EncryptionProviders
+	}
+	return nil
+}
+
 // PlatformMetadataSpec describes platform metadata properties.
 type PlatformMetadataSpec struct {
 	state         protoimpl.MessageState
@@ -933,7 +941,7 @@ var file_resource_definitions_runtime_runtime_proto_rawDesc = []byte{
 	0x74, 0x49, 0x50, 0x52, 0x12, 0x72, 0x65, 0x61, 0x63, 0x68, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x64,
 	0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x22, 0x23, 0x0a, 0x0b, 0x4d, 0x65, 0x74, 0x61, 0x4b,
 	0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xa2, 0x01, 0x0a,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xd5, 0x01, 0x0a,
 	0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63,
 	0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67,
@@ -944,43 +952,46 @@ var file_resource_definitions_runtime_runtime_proto_rawDesc = []byte{
 	0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69,
 	0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
 	0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x4d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c,
-	0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c,
-	0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
-	0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x7a, 0x6f,
-	0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x12, 0x23,
-	0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18,
-	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x54,
-	0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f,
-	0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e,
-	0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
-	0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x6f, 0x76, 0x69,
-	0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a, 0x11, 0x53, 0x65,
-	0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12,
-	0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42, 0x6f, 0x6f, 0x74,
-	0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f,
-	0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x75, 0x6b, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e,
-	0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12,
-	0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b,
-	0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70, 0x63, 0x72, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67,
-	0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0x3c,
-	0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42, 0x4c, 0x5a, 0x4a,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72,
-	0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x64, 0x12, 0x31, 0x0a, 0x14, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69,
+	0x64, 0x65, 0x72, 0x73, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
+	0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a,
+	0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73,
+	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73,
+	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a,
+	0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e,
+	0x65, 0x12, 0x23, 0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79,
+	0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e,
+	0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e,
+	0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73,
+	0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69,
+	0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74,
+	0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a,
+	0x11, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x53, 0x70,
+	0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f,
+	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42,
+	0x6f, 0x6f, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69,
+	0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69,
+	0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x75, 0x6b, 0x69, 0x53, 0x69, 0x67,
+	0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69,
+	0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e,
+	0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e,
+	0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70, 0x63, 0x72, 0x53, 0x69, 0x67, 0x6e,
+	0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e,
+	0x74, 0x22, 0x3c, 0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f,
+	0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42,
+	0x4c, 0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69,
+	0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70,
+	0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69,
+	0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
+	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go
@@ -556,6 +556,15 @@ func (m *MountStatusSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.EncryptionProviders) > 0 {
+		for iNdEx := len(m.EncryptionProviders) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.EncryptionProviders[iNdEx])
+			copy(dAtA[i:], m.EncryptionProviders[iNdEx])
+			i = encodeVarint(dAtA, i, uint64(len(m.EncryptionProviders[iNdEx])))
+			i--
+			dAtA[i] = 0x32
+		}
+	}
 	if m.Encrypted {
 		i--
 		if m.Encrypted {
@@ -1016,6 +1025,12 @@ func (m *MountStatusSpec) SizeVT() (n int) {
 	if m.Encrypted {
 		n += 2
 	}
+	if len(m.EncryptionProviders) > 0 {
+		for _, s := range m.EncryptionProviders {
+			l = len(s)
+			n += 1 + l + sov(uint64(l))
+		}
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -2302,6 +2317,38 @@ func (m *MountStatusSpec) UnmarshalVT(dAtA []byte) error {
 				}
 			}
 			m.Encrypted = bool(v != 0)
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EncryptionProviders", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EncryptionProviders = append(m.EncryptionProviders, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skip(dAtA[iNdEx:])
--- a/pkg/machinery/config/config/machine.go
+++ b/pkg/machinery/config/config/machine.go
@@ -364,18 +364,24 @@ type EncryptionKey interface {
 // EncryptionKeyStatic ephemeral encryption key.
 type EncryptionKeyStatic interface {
 	Key() []byte
+	String() string
 }

 // EncryptionKeyKMS encryption key sealed by KMS.
 type EncryptionKeyKMS interface {
 	Endpoint() string
+	String() string
 }

 // EncryptionKeyNodeID deterministically generated encryption key.
-type EncryptionKeyNodeID interface{}
+type EncryptionKeyNodeID interface {
+	String() string
+}

 // EncryptionKeyTPM encryption key sealed by TPM.
-type EncryptionKeyTPM interface{}
+type EncryptionKeyTPM interface {
+	String() string
+}

 // Encryption defines settings for the partition encryption.
 type Encryption interface {
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
@@ -1384,6 +1384,16 @@ func (e *EncryptionKey) TPM() config.EncryptionKeyTPM {
 	return e.KeyTPM
 }

+// String implements the config.Provider interface.
+func (e *EncryptionKeyNodeID) String() string {
+	return "nodeid"
+}
+
+// String implements the config.Provider interface.
+func (e *EncryptionKeyTPM) String() string {
+	return "tpm"
+}
+
 // Slot implements the config.Provider interface.
 func (e *EncryptionKey) Slot() int {
 	return e.KeySlot
@@ -1394,11 +1404,21 @@ func (e *EncryptionKeyStatic) Key() []byte {
 	return []byte(e.KeyData)
 }

+// String implements the config.Provider interface.
+func (e *EncryptionKeyStatic) String() string {
+	return "static"
+}
+
 // Endpoint implements the config.Provider interface.
 func (e *EncryptionKeyKMS) Endpoint() string {
 	return e.KMSEndpoint
 }

+// String implements the config.Provider interface.
+func (e *EncryptionKeyKMS) String() string {
+	return "kms"
+}
+
 // Get implements the config.Provider interface.
 func (e *SystemDiskEncryptionConfig) Get(label string) config.Encryption {
 	switch label {
--- a/pkg/machinery/resources/runtime/deep_copy.generated.go
+++ b/pkg/machinery/resources/runtime/deep_copy.generated.go
@@ -104,6 +104,10 @@ func (o MountStatusSpec) DeepCopy() MountStatusSpec {
 		cp.Options = make([]string, len(o.Options))
 		copy(cp.Options, o.Options)
 	}
+	if o.EncryptionProviders != nil {
+		cp.EncryptionProviders = make([]string, len(o.EncryptionProviders))
+		copy(cp.EncryptionProviders, o.EncryptionProviders)
+	}
 	return cp
 }

--- a/pkg/machinery/resources/runtime/mount_status.go
+++ b/pkg/machinery/resources/runtime/mount_status.go
@@ -23,11 +23,12 @@ type MountStatus = typed.Resource[MountStatusSpec, MountStatusExtension]
 //
 //gotagsrewrite:gen
 type MountStatusSpec struct {
-	Source         string   `yaml:"source" protobuf:"1"`
-	Target         string   `yaml:"target" protobuf:"2"`
-	FilesystemType string   `yaml:"filesystemType" protobuf:"3"`
-	Options        []string `yaml:"options" protobuf:"4"`
-	Encrypted      bool     `yaml:"encrypted" protobuf:"5"`
+	Source              string   `yaml:"source" protobuf:"1"`
+	Target              string   `yaml:"target" protobuf:"2"`
+	FilesystemType      string   `yaml:"filesystemType" protobuf:"3"`
+	Options             []string `yaml:"options" protobuf:"4"`
+	Encrypted           bool     `yaml:"encrypted" protobuf:"5"`
+	EncryptionProviders []string `yaml:"encryptionProviders,omitempty" protobuf:"6"`
 }

 // NewMountStatus initializes a MountStatus resource.
--- a/website/content/v1.6/reference/api.md
+++ b/website/content/v1.6/reference/api.md
@@ -3617,6 +3617,7 @@ MountStatusSpec describes status of the defined sysctls.
 | filesystem_type | [string](#string) |  |  |
 | options | [string](#string) | repeated |  |
 | encrypted | [bool](#bool) |  |  |
+| encryption_providers | [string](#string) | repeated |  |