Kubernetes Secrets Encryption - Integration Guide
Kubernetes Secrets contain sensitive data like your passwords, keys, and certificates. Kubernetes developed the feature to use KMS encryption provider for Encrypting Secret Data at Rest. The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption. The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. The KMS provider uses gRPC to communicate with a specific KMS plugin. The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s), is responsible for all communication with the remote KMS.
Thales has developed a KMS plugin that communicates with a remote KMS for managing Secret Data Encryption where:
- KMS Plugin - K8S-KMS-Plugin
- Remote KMS - Thales Luna HSM
Following are some of the benefits of using Luna HSM along with K8S-KMS-Plugin to generate encryption keys that protect secret data for Kubernetes Secret encryption:
- Secure generation, storage, and protection of encryption keys on FIPS 140-2 level 3 validated hardware
- Full life cycle management of keys
- HSM audit trail
- Significant performance improvements by off-loading cryptographic operations from servers
- Using Cloud services with confidence