Skip to content

EncryptionConfig in Kubernetes

EncryptionConfig is a Kubernetes feature that allows you to encrypt sensitive data stored in etcd. Kubernetes uses etcd as its backend storage for cluster data, and while etcd supports encryption at the disk level, EncryptionConfig provides additional protection by encrypting specific Kubernetes resources at the application layer.

Why Use EncryptionConfig?

  1. Enhanced Security:

  2. Protect sensitive data such as Secrets, ConfigMaps, and other resources stored in etcd.

  3. Prevent unauthorized access to sensitive information in case etcd backups or snapshots are compromised.

  4. Compliance:

  5. Helps meet regulatory requirements by encrypting data at rest in etcd.

  6. Granular Control:

  7. Allows encryption of specific resources or resource types.

How It Works

  1. Encryption Providers:

  2. Kubernetes uses encryption providers to specify the type of encryption used.

  3. Supported providers include:

    • AES-CBC: Encrypts data using the AES algorithm in Cipher Block Chaining mode.
    • SecretBox: Uses the NaCl SecretBox algorithm for encryption.
    • Identity: No encryption; the data is stored as plaintext.

  4. EncryptionConfig File:

  5. An EncryptionConfig file specifies which resources should be encrypted and the encryption method.

  6. Decryption on Access:

  7. Encrypted data is decrypted automatically when accessed via the Kubernetes API server.

Example EncryptionConfig

The following example encrypts Secrets using the AES-CBC encryption provider:

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <base64-encoded-encryption-key>
      - identity: {}

Explanation:

  • resources: Specifies the resource types to encrypt (e.g., Secrets).
  • aescbc: Indicates the AES-CBC encryption provider.
  • keys: Contains the encryption keys, with the secret field containing a base64-encoded key.
  • identity: Falls back to plaintext storage for resources not encrypted by aescbc.

Steps to Configure EncryptionConfig

1. Create the EncryptionConfig File

  • Write the EncryptionConfig file as shown above, specifying the resources to encrypt and the encryption providers.

2. Enable Encryption in the API Server

  • Update the API server manifest (e.g., /etc/kubernetes/manifests/kube-apiserver.yaml) to include the --encryption-provider-config flag:
- --encryption-provider-config=/path/to/encryption-config.yaml

3. Restart the API Server

  • Restart the API server for the changes to take effect:
sudo systemctl restart kube-apiserver

4. Migrate Existing Data

  • Run the kubectl get and kubectl apply commands to re-encrypt existing resources:
kubectl get secrets --all-namespaces -o yaml | kubectl apply -f -

Verification

To confirm that encryption is working:

  1. Inspect the etcd data and verify that encrypted resources are not in plaintext.
  2. Use etcdctl to view raw etcd contents:
etcdctl get /registry/secrets/default/my-secret
  • Encrypted data will appear as a ciphered string instead of plaintext values.

Considerations

  1. Key Management:

  2. Rotate encryption keys regularly for security.

  3. Backup keys securely, as loss of encryption keys may result in data inaccessibility.

  4. Resource Overhead:

  5. Encryption and decryption introduce additional CPU and memory usage on the API server.

  6. Backup Compatibility:

  7. Ensure etcd backups include encryption keys to allow data recovery.

  8. Fallback to Identity:

  9. If decryption fails or a key is lost, resources with identity provider remain accessible as plaintext.

Common Use Cases

  • Encrypting Secrets to secure sensitive information such as API keys, passwords, and certificates.
  • Encrypting ConfigMaps or other sensitive application configurations.
  • Ensuring compliance with data security regulations.

Conclusion

EncryptionConfig is an essential feature for securing sensitive data in Kubernetes clusters. By encrypting data at the application layer, it adds a robust layer of protection against unauthorized access and meets compliance standards. Proper key management and regular testing are critical to maintaining a secure and reliable encryption setup.