Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Encryption at Rest

Encryption at rest protects secrets stored in etcd by encrypting them before they’re written to disk. This ensures that even if someone gains access to etcd data, they cannot read the secrets without the encryption key.

Why Encryption at Rest?

By default, Kubernetes secrets are stored in etcd as base64-encoded values, not encrypted. This means:

  • Anyone with etcd access can read secrets
  • Backup files contain unencrypted secrets
  • etcd snapshots expose sensitive data

Encryption at rest encrypts secrets before storing them in etcd.

Enabling Encryption at Rest

1. Create Encryption Configuration

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-encoded-32-byte-key>
  - identity: {}

2. Generate Encryption Key

# Generate a 32-byte random key
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
echo $ENCRYPTION_KEY

3. Update API Server

Add to kube-apiserver manifest:

spec:
  containers:
  - name: kube-apiserver
    command:
    - kube-apiserver
    - --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
    volumeMounts:
    - name: encryption-config
      mountPath: /etc/kubernetes/encryption-config.yaml
      readOnly: true
  volumes:
  - name: encryption-config
    hostPath:
      path: /etc/kubernetes/encryption-config.yaml

KMS Integration

AWS KMS

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - kms:
      name: aws-kms
      endpoint: unix:///tmp/kms.socket
      cachesize: 100
      timeout: 3s

Google Cloud KMS

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - kms:
      name: gcp-kms
      endpoint: unix:///tmp/kms.socket
      cachesize: 100
      timeout: 3s

Best Practices

  1. Use KMS for production - Cloud KMS provides key management
  2. Rotate keys regularly - Implement key rotation
  3. Test encryption - Verify secrets are encrypted
  4. Backup keys securely - Store encryption keys safely

See Also