Kubernetes Secrets Encryption
This directory contains configuration for encrypting Kubernetes secrets at rest.
What is this for?
Kubernetes secrets are stored in etcd, and by default they are stored as plaintext. This encryption configuration ensures that secrets are encrypted when stored in etcd, providing an additional layer of security.
Files
encryption-config.yaml- Main encryption configuration file
How it works
- The API server uses this configuration to encrypt secrets before storing them in etcd
- When secrets are retrieved, they are automatically decrypted by the API server
- This provides encryption at rest for all Kubernetes secrets
Security Notes
- The encryption key is stored in this file (base64 encoded)
- This file should be protected and not committed to version control in production
- For development, this provides basic encryption at rest
- In production, consider using a proper key management system
Generating a new key
openssl rand -base64 32
Configuration Details
- Algorithm: AES-CBC with 256-bit keys
- Provider:
aescbc- AES-CBC encryption provider - Fallback:
identity- Allows reading unencrypted secrets during migration
Usage
This configuration is automatically used by the Kind cluster configuration in kind-config.yaml. The file is mounted into the Kubernetes control plane container and referenced by the API server configuration.
Rotation
To rotate keys:
- Add a new key to the
keysarray - Make the new key the first in the array
- Restart the API server
- Old keys can be removed after all secrets have been re-encrypted with the new key
Compliance
This encryption helps satisfy:
- GDPR Article 32 - Security of processing
- PCI DSS Requirement 3.4 - Encryption of sensitive data
- ISO 27001:2022 - Cryptographic controls