0 of 15 done
Bring It Online

Generate the data encryption key

Where you are

This is the last identity step before you start the datastore. Kubernetes keeps secrets in its datastore, and by default they sit there unprotected. In this step you create the key and the config that encrypt those secrets at rest. You do this now so the protection exists before etcd starts and before any data is written.

Generate the encryption key

Kubernetes stores several kinds of data, including cluster state, application configuration, and secrets. Kubernetes can encrypt this data while it sits on disk, which is called encryption at rest.

In this lab you generate an encryption key and an encryption config that encrypt Kubernetes Secrets.

Generate an encryption key:

export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)

This reads 32 random bytes from the system and encodes them as base64 text. The result is held in the ENCRYPTION_KEY variable for the next command.

Create the encryption config file

Create the encryption-config.yaml encryption config file:

envsubst < configs/encryption-config.yaml \
  > encryption-config.yaml

The envsubst command reads the template, replaces the key placeholder with the value in ENCRYPTION_KEY, and writes the finished file. This file tells the API server which key to use when it encrypts and decrypts Secrets.

PHI lens. Kubernetes stores Secrets in etcd, and without this key they sit in plain text on disk. In a healthcare cluster, encrypting Secrets at rest is part of protecting protected health information, also called PHI. You set this up before any data is written, not after.

Copy the encryption-config.yaml encryption config file to each controller instance:

scp encryption-config.yaml root@server:~/

The controller is where the API server runs, so the config file has to live there for the encryption to take effect.

Key terms

Encryption at rest: protecting data while it is stored on disk, so that someone who reads the raw files cannot see the original values.

Kubernetes Secret: an object that holds sensitive data such as passwords, tokens, or keys. Kubernetes stores Secrets in its datastore.

EncryptionConfig: the configuration file that tells the API server which key to use to encrypt and decrypt Secrets before they are stored.

Reflect

You set up encryption before any Secret is ever written. What would it take to add encryption to a cluster that has already been storing Secrets in plain text, and why is that harder than doing it first?

Next: Bootstrap the etcd cluster