Encrypting secret data in kubernetes etcd store

10/20/2018

By default all the data stored in etcd is not encrypted, for the production deployments, some of the data stored in etcd need to be encrypted such as secrets, Is there a way to store the secrets, in an encrypted way, in etcd, by default.

-- Ijaz Ahmad Khan
confidentiality
encryption
etcd
kubernetes
security

1 Answer

10/21/2018

To have encryption you need to instruct apiserver service with this parameter:

--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml

where the yaml file contains this:

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}

here the provider is aescbc (the strongest encryption) and the variable is generated before:

ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)

Take a look to these documents:

-- Nicola Ben
Source: StackOverflow