Kubernetes Secrets contain sensitive data like your passwords, keys, and certificates. Kubernetes developed the feature to use KMS encryption provider for Encrypting Secret Data at Rest. The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption. The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. The KMS provider uses gRPC to communicate with a specific KMS plugin. The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s), is responsible for all communication with the remote KMS.
Thales has developed a KMS plugin that communicates with a remote KMS for managing Secret Data Encryption where:
Following are some of the benefits of using Luna HSM along with K8S-KMS-Plugin to generate encryption keys that protect secret data for Kubernetes Secret encryption: