Encrypting Secret Data at Rest

    • You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

      Your Kubernetes server must be at or later than version 1.13. To check the version, enter .

    • etcd v3.0 or later is required

    Configuration and determining whether encryption at rest is already enabled

    The kube-apiserver process accepts an argument --encryption-provider-config that controls how API data is encrypted in etcd. An example configuration is provided below.

    Each resources array item is a separate config and contains a complete configuration. The resources.resources field is an array of Kubernetes resource names (resource or resource.group) that should be encrypted. The providers array is an ordered list of the possible encryption providers. Only one provider type may be specified per entry (identity or aescbc may be provided, but not both in the same item).

    The first provider in the list is used to encrypt resources going into storage. When reading resources from storage each provider that matches the stored data attempts to decrypt the data in order. If no provider can read the stored data due to a mismatch in format or secret key, an error is returned which prevents clients from accessing that resource.

    Caution: IMPORTANT: If any resource is not readable via the encryption config (because keys were changed), the only recourse is to delete that key from the underlying etcd directly. Calls that attempt to read that resource will fail until it is deleted or a valid decryption key is provided.

    Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider is the first provider, the first key is used for encryption.

    Storing the raw encryption key in the EncryptionConfig only moderately improves your security posture, compared to no encryption. Please use kms provider for additional security. By default, the identity provider is used to protect secrets in etcd, which provides no encryption. was introduced to encrypt secrets locally, with a locally managed key.

    Encrypting secrets with a locally managed key protects against an etcd compromise, but it fails to protect against a host compromise. Since the encryption keys are stored on the host in the EncryptionConfig YAML file, a skilled attacker can access that file and extract the encryption keys.

    Encrypting your data

    Create a new encryption config file:

    1. kind: EncryptionConfiguration
    2. resources:
    3. - resources:
    4. - secrets
    5. providers:
    6. - aescbc:
    7. keys:
    8. - name: key1
    9. secret: <BASE 64 ENCODED SECRET>
    10. - identity: {}

    To create a new secret perform the following steps:

    1. Generate a 32 byte random key and base64 encode it. If you’re on Linux or macOS, run the following command:

    2. Place that value in the secret field.

    3. Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file.

    Caution: Your config file contains keys that can decrypt content in etcd, so you must properly restrict permissions on your masters so only the user who runs the kube-apiserver can read it.

    Data is encrypted when written to etcd. After restarting your kube-apiserver, any newly created or updated secret should be encrypted when stored. To check, you can use the etcdctl command line program to retrieve the contents of your secret.

    1. Create a new secret called secret1 in the namespace:

      1. kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
    2. Using the etcdctl commandline, read that secret out of etcd:

      where [...] must be the additional arguments for connecting to the etcd server.

    3. Verify the stored secret is prefixed with k8s:enc:aescbc:v1: which indicates the aescbc provider has encrypted the resulting data.

    4. Verify the secret is correctly decrypted when retrieved via the API:

      should match mykey: bXlkYXRh, mydata is encoded, check to completely decode the secret.

    Ensure all secrets are encrypted

    Since secrets are encrypted on write, performing an update on a secret will encrypt that content.

    1. kubectl get secrets --all-namespaces -o json | kubectl replace -f -

    The command above reads all secrets and then updates them to apply server side encryption.

    Note: If an error occurs due to a conflicting write, retry the command. For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

    Changing the secret without incurring downtime requires a multi step operation, especially in the presence of a highly available deployment where multiple kube-apiserver processes are running.

    1. Generate a new key and add it as the second key entry for the current provider on all servers
    2. Restart all kube-apiserver processes to ensure each server can decrypt using the new key
    3. Make the new key the first entry in the keys array so that it is used for encryption in the config
    4. Restart all kube-apiserver processes to ensure each server now encrypts using the new key
    5. Run kubectl get secrets --all-namespaces -o json | kubectl replace -f - to encrypt all existing secrets with the new key
    6. Remove the old decryption key from the config after you back up etcd with the new key in use and update all secrets

    With a single kube-apiserver, step 2 may be skipped.

    Decrypting all data

    To disable encryption at rest place the identity provider as the first entry in the config:

    1. kubectl get secrets --all-namespaces -o json | kubectl replace -f -

    to force all secrets to be decrypted.