Secrets encryption at rest in Kubernetes - Time & Space Complexity

We want to understand how the time to encrypt and decrypt Kubernetes secrets changes as the number of secrets grows.

How does the system handle more secrets without slowing down too much?

Analyze the time complexity of the following Kubernetes encryption configuration snippet.

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: c2VjcmV0a2V5MTIzNDU2
  - identity: {}

This config tells Kubernetes to encrypt all secrets using AES-CBC with a key, then fallback to identity (no encryption) if needed.

• Primary operation: Encrypting or decrypting each secret when it is stored or retrieved.
• How many times: Once per secret access, repeated for every secret stored or read.

As the number of secrets increases, the total encryption and decryption operations increase proportionally.

Input Size (n)	Approx. Operations
10	10 encryptions + 10 decryptions
100	100 encryptions + 100 decryptions
1000	1000 encryptions + 1000 decryptions

Pattern observation: The work grows linearly with the number of secrets.

Time Complexity: O(n)

This means the time to encrypt and decrypt secrets grows directly in proportion to how many secrets there are.

[X] Wrong: "Encrypting secrets happens once and then is instant for all future accesses."

[OK] Correct: Each time a secret is accessed, it must be decrypted, so the cost happens repeatedly, not just once.

Understanding how encryption scales helps you design secure systems that stay fast as they grow. This skill shows you can think about both security and performance together.

"What if Kubernetes cached decrypted secrets in memory? How would the time complexity change when reading secrets repeatedly?"