Skip to content

Encryption at rest

First we want to ensure a few things are encrypted at rest within our cluster, currently that is secrets and confimaps.

See encrypt-data for details, or follow below for a basic example.

Create a static encryption key with random data:

head -c 32 /dev/urandom | base64

Now create a configuration snipper for kubernetes to use:

cat >>kubernetes-enc.yaml<<EOF
---
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
      - configmaps
    providers:
      - secretbox:
          keys:
            - name: key1
              secret: <BASE 64 ENCODED SECRET>
      - identity: {} # this fallback allows reading unencrypted secrets;
                     # for example, during initial migration
EOF

Make sure to copy kubernetes-enc.yaml to each node, into /etc.

See the asciicast below: