Initial commit - production deployment
This commit is contained in:
55
infrastructure/platform/security/encryption/README.md
Normal file
55
infrastructure/platform/security/encryption/README.md
Normal file
@@ -0,0 +1,55 @@
|
||||
# Kubernetes Secrets Encryption
|
||||
|
||||
This directory contains configuration for encrypting Kubernetes secrets at rest.
|
||||
|
||||
## What is this for?
|
||||
|
||||
Kubernetes secrets are stored in etcd, and by default they are stored as plaintext. This encryption configuration ensures that secrets are encrypted when stored in etcd, providing an additional layer of security.
|
||||
|
||||
## Files
|
||||
|
||||
- `encryption-config.yaml` - Main encryption configuration file
|
||||
|
||||
## How it works
|
||||
|
||||
1. The API server uses this configuration to encrypt secrets before storing them in etcd
|
||||
2. When secrets are retrieved, they are automatically decrypted by the API server
|
||||
3. This provides encryption at rest for all Kubernetes secrets
|
||||
|
||||
## Security Notes
|
||||
|
||||
- The encryption key is stored in this file (base64 encoded)
|
||||
- This file should be protected and not committed to version control in production
|
||||
- For development, this provides basic encryption at rest
|
||||
- In production, consider using a proper key management system
|
||||
|
||||
## Generating a new key
|
||||
|
||||
```bash
|
||||
openssl rand -base64 32
|
||||
```
|
||||
|
||||
## Configuration Details
|
||||
|
||||
- **Algorithm**: AES-CBC with 256-bit keys
|
||||
- **Provider**: `aescbc` - AES-CBC encryption provider
|
||||
- **Fallback**: `identity` - Allows reading unencrypted secrets during migration
|
||||
|
||||
## Usage
|
||||
|
||||
This configuration is automatically used by the Kind cluster configuration in `kind-config.yaml`. The file is mounted into the Kubernetes control plane container and referenced by the API server configuration.
|
||||
|
||||
## Rotation
|
||||
|
||||
To rotate keys:
|
||||
1. Add a new key to the `keys` array
|
||||
2. Make the new key the first in the array
|
||||
3. Restart the API server
|
||||
4. Old keys can be removed after all secrets have been re-encrypted with the new key
|
||||
|
||||
## Compliance
|
||||
|
||||
This encryption helps satisfy:
|
||||
- GDPR Article 32 - Security of processing
|
||||
- PCI DSS Requirement 3.4 - Encryption of sensitive data
|
||||
- ISO 27001:2022 - Cryptographic controls
|
||||
@@ -0,0 +1,17 @@
|
||||
# Kubernetes Secrets Encryption Configuration
|
||||
# This file configures encryption at rest for Kubernetes secrets
|
||||
# Used by the API server to encrypt secret data stored in etcd
|
||||
|
||||
apiVersion: apiserver.config.k8s.io/v1
|
||||
kind: EncryptionConfiguration
|
||||
resources:
|
||||
- resources:
|
||||
- secrets
|
||||
providers:
|
||||
- aescbc:
|
||||
keys:
|
||||
- name: key1
|
||||
# 32-byte (256-bit) AES key encoded in base64
|
||||
# Generated using: openssl rand -base64 32
|
||||
secret: 62um3zP5aidjVSIB0ckAxF/Ms8EDy/Z8LyMGTdMuoSM=
|
||||
- identity: {}
|
||||
Reference in New Issue
Block a user