Implementing Encryption at Rest

2 min read Infrastructure & DevOps Security

Implementing Encryption at Rest

Encryption at rest protects Secrets stored in etcd from unauthorized access. Kubernetes supports multiple encryption providers through its encryption configuration. This encryption occurs at the API server level, ensuring Secrets are encrypted before storage and decrypted upon retrieval. Proper implementation requires careful key management and regular rotation procedures.

The encryption configuration file defines how different resource types are encrypted. Organizations can choose different encryption providers for different resources, though Secrets typically receive the strongest encryption. AES-CBC with PKCS#7 padding provides strong encryption, while AES-GCM offers authenticated encryption. The choice depends on security requirements and performance considerations.

# Encryption configuration for API server
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      # AES-GCM with automatic key rotation
      - aesgcm:
          keys:
            - name: key2
              secret: c2VjcmV0MzJieXRlc2tleWhlcmUhISEhISEhISE=
            - name: key1
              secret: b2xkc2VjcmV0MzJieXRlc2tleWhlcmUhISEhISE=
      # Identity provider for reading old unencrypted data
      - identity: {}
  
  - resources:
      - configmaps
    providers:
      # Weaker encryption for less sensitive data
      - aescbc:
          keys:
            - name: key1
              secret: Y29uZmlnbWFwMzJieXRlc2tleWhlcmUhISEhISE=
      - identity: {}

---
# KMS provider configuration for cloud environments
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      # AWS KMS integration
      - kms:
          name: aws-kms
          endpoint: unix:///var/run/kms-plugin.sock
          cachesize: 1000
          timeout: 3s
      # Fallback for reading old data
      - identity: {}

Key management for encryption at rest requires careful planning. Static keys in configuration files pose risks if configuration files are exposed. Key Management Service (KMS) integration provides better security by delegating key management to specialized systems. Cloud providers offer KMS plugins that integrate with their key management services, enabling hardware security module (HSM) backed encryption.