# Kubernetes Secrets Encryption

This directory contains configuration for encrypting Kubernetes secrets at rest.

## What is this for?

Kubernetes secrets are stored in etcd, and by default they are stored as plaintext. This encryption configuration ensures that secrets are encrypted when stored in etcd, providing an additional layer of security.

## Files

- `encryption-config.yaml` - Main encryption configuration file

## How it works

1. The API server uses this configuration to encrypt secrets before storing them in etcd
2. When secrets are retrieved, they are automatically decrypted by the API server
3. This provides encryption at rest for all Kubernetes secrets

## Security Notes

- The encryption key is stored in this file (base64 encoded)
- This file should be protected and not committed to version control in production
- For development, this provides basic encryption at rest
- In production, consider using a proper key management system

## Generating a new key

```bash
openssl rand -base64 32
```

## Configuration Details

- **Algorithm**: AES-CBC with 256-bit keys
- **Provider**: `aescbc` - AES-CBC encryption provider
- **Fallback**: `identity` - Allows reading unencrypted secrets during migration

## Usage

This configuration is automatically used by the Kind cluster configuration in `kind-config.yaml`. The file is mounted into the Kubernetes control plane container and referenced by the API server configuration.

## Rotation

To rotate keys:
1. Add a new key to the `keys` array
2. Make the new key the first in the array
3. Restart the API server
4. Old keys can be removed after all secrets have been re-encrypted with the new key

## Compliance

This encryption helps satisfy:
- GDPR Article 32 - Security of processing
- PCI DSS Requirement 3.4 - Encryption of sensitive data
- ISO 27001:2022 - Cryptographic controls