Encrypting Secret Data Stored in ETCD Database.
2 min readJan 5, 2022
The kubernetes data are stored in ETCD database in plain text format. This includes the important data like kubernetes Secrets. Sample depiction from below picture.
In order to overcome this data storage in plain text format, we need special encryption key at API server level.
kube-api server process accepts an argument (- -encryption-provider-config ) that controls how API data is encrypted in ETCD.
STEPS- ECTD DATA ENCRYPTION:
- Create an encryption key.
Generate a 32 byte random key and base64 encode it. If you’re on Linux run the below command
head -c 32 /dev/urandom | base642. Create an encryption Config — ec.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <BASE 64 ENCODED SECRET>
- identity: {}3. Copy the configuration YAML file created in step-2 to some directory.
- mkdir /etc/kubernetes/etcd
- cp ec.yaml /etc/kubernetes/etcd/ec.yaml
4. Start Kube-apiserver with appropriate flag.
- -encryption-provider-config=/etc/kubernetes/etcd/ec.yaml5. Verify the content of ETCD.
$ kubectl create secret generic test-secret -n default — from-literal=user=admin$ ETCDCTL_API=3 etcdctl:2379 --endpoint=https://127.0.0.1 --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key /etc/kubernetes/pki/apiserver-etcd-client.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/new-secret
