Bird
Raised Fist0
Kubernetesdevops~10 mins

Secrets encryption at rest in Kubernetes - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Secrets encryption at rest
Create Secret in Kubernetes
Secret stored in etcd (unencrypted)
Enable Encryption Configuration
Kubernetes API Server encrypts Secret data
Encrypted Secret stored in etcd
When Secret requested
API Server decrypts Secret before returning
User gets decrypted Secret
This flow shows how Kubernetes encrypts Secrets before saving them in etcd and decrypts them when accessed.
Execution Sample
Kubernetes
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: <base64-encoded-key>
    - identity: {}
This config enables AES-CBC encryption for Secrets stored in etcd.
Process Table
StepActionSecret State in etcdAPI Server BehaviorResult
1Create Secret 'mysecret'Plaintext storedNo encryption configuredSecret saved unencrypted
2Apply EncryptionConfigurationNew secrets encrypted; existing unencryptedAPI Server encrypts Secrets before savingNew secrets stored encrypted
3Request Secret 'mysecret'Encrypted data in etcdAPI Server decrypts Secret before returningUser receives plaintext Secret
4Update Secret 'mysecret'Encrypted data updatedAPI Server encrypts updated SecretUpdated Secret stored encrypted
5Delete EncryptionConfigurationSecrets remain encryptedAPI Server stops encrypting new SecretsNew Secrets stored unencrypted
6Request Secret 'mysecret'Encrypted data in etcdAPI Server decrypts SecretUser receives decrypted Secret
7ExitN/AN/AProcess ends
💡 Process ends after Secret retrieval and encryption configuration changes
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5After Step 6Final
Secret Data in etcdNonePlaintextEncryptedEncryptedEncryptedEncryptedEncryptedEncrypted
API Server Encryption EnabledFalseFalseTrueTrueTrueFalseFalseFalse
User ReceivesNonePlaintext SecretPlaintext SecretPlaintext SecretPlaintext SecretPlaintext SecretPlaintext SecretPlaintext Secret
Key Moments - 3 Insights
Why is the Secret stored unencrypted at first (Step 1) but new Secrets encrypted after applying EncryptionConfiguration (Step 2)?
Initially, Kubernetes stores Secrets as plaintext in etcd because encryption is not enabled. After applying EncryptionConfiguration, the API Server encrypts new Secrets before saving them, so etcd stores encrypted data (see execution_table rows 1 and 2).
If the EncryptionConfiguration is deleted (Step 5), are existing Secrets decrypted in etcd?
No, existing Secrets remain encrypted in etcd. Deleting the config stops encrypting new Secrets, but stored Secrets stay encrypted until manually decrypted or rotated (see execution_table row 5).
When a Secret is requested, why does the user always get the decrypted Secret even though etcd stores encrypted data?
The API Server decrypts Secrets on retrieval before returning them to the user, so users always see plaintext Secrets regardless of encryption at rest (see execution_table rows 3 and 6).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at Step 2. What changes in the API Server behavior?
AIt stops encrypting Secrets
BIt deletes Secrets from etcd
CIt starts encrypting Secrets before saving to etcd
DIt returns Secrets unencrypted to users
💡 Hint
Check the 'API Server Behavior' column at Step 2 in the execution_table
At which step does the user receive the Secret for the first time?
AStep 3
BStep 1
CStep 5
DStep 7
💡 Hint
Look at the 'User Receives' column in variable_tracker after Step 1 and Step 3
If EncryptionConfiguration is removed, what happens to new Secrets stored after Step 5?
AThey are stored unencrypted
BThey are deleted automatically
CThey are encrypted with the old key
DThey cause an error on save
💡 Hint
See 'API Server Encryption Enabled' variable_tracker value after Step 5 and execution_table Step 5
Concept Snapshot
Kubernetes Secrets encryption at rest:
- Secrets stored in etcd by default are unencrypted.
- Enable encryption via EncryptionConfiguration in API Server.
- API Server encrypts Secrets before saving to etcd.
- Secrets are decrypted by API Server when accessed.
- Removing encryption config stops encrypting new Secrets but existing remain encrypted.
- Protects sensitive data stored in cluster backend.
Full Transcript
This visual execution shows how Kubernetes handles Secrets encryption at rest. Initially, Secrets are stored in plaintext in etcd. When an EncryptionConfiguration is applied, the API Server encrypts Secrets before saving them, so etcd stores encrypted data. When a Secret is requested, the API Server decrypts it before returning it to the user, ensuring users always see plaintext Secrets. If the encryption config is removed, new Secrets are stored unencrypted, but existing encrypted Secrets remain encrypted in etcd. This process protects sensitive data stored in the cluster backend.

Practice

(1/5)
1. What is the main purpose of enabling Secrets encryption at rest in Kubernetes?
easy
A. To protect sensitive data stored in etcd from unauthorized access
B. To speed up the retrieval of Secrets from the API server
C. To allow Secrets to be shared publicly across namespaces
D. To automatically rotate Secrets without manual intervention

Solution

  1. Step 1: Understand what Secrets encryption at rest means

    It means encrypting sensitive data stored on disk, specifically in etcd, to prevent unauthorized access if someone gains access to the storage.

  2. Step 2: Identify the main goal of this encryption

    The goal is to protect sensitive data like passwords or tokens stored in etcd, not to speed up access or share Secrets publicly.

  3. Final Answer:

    To protect sensitive data stored in etcd from unauthorized access -> Option A

  4. Quick Check:

    Secrets encryption = protect data at rest [OK]
Hint: Encryption at rest means protecting stored data, not speeding access [OK]
Common Mistakes:
  • Confusing encryption at rest with encryption in transit
  • Thinking encryption shares Secrets publicly
  • Assuming encryption automatically rotates Secrets
2. Which of the following is the correct way to enable Secrets encryption at rest in Kubernetes EncryptionConfiguration file?
easy
A. apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: - identity: {}
B. apiVersion: v1 kind: Secret metadata: name: encryption-config stringData: key:
C. apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - secrets providers: - identity: {} - aescbc: keys: - name: key1 secret:
D. apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfig resources: - secrets - aescbc: keys: - name: key1 secret:

Solution

  1. Step 1: Review the correct structure of EncryptionConfiguration

    The file must have apiVersion, kind, and a resources list with nested resources and providers. The providers list includes encryption methods like aescbc and identity.

  2. Step 2: Compare options for correct YAML syntax and structure

    apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - secrets providers: - identity: {} - aescbc: keys: - name: key1 secret: correctly nests resources and providers, uses aescbc with keys, and includes identity as fallback. apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: - identity: {} incorrectly nests 'resources' under 'resources'. Others have syntax errors or wrong kind names.

  3. Final Answer:

    apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - secrets providers: - identity: {} - aescbc: keys: - name: key1 secret: -> Option C

  4. Quick Check:

    Correct YAML structure = apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - secrets providers: - identity: {} - aescbc: keys: - name: key1 secret: [OK]
Hint: Look for 'resources' as a list of resource names and 'providers' as a list of encryption methods [OK]
Common Mistakes:
  • Using wrong kind name like EncryptionConfig instead of EncryptionConfiguration
  • Incorrect YAML indentation or missing nested keys
  • Placing keys outside the providers list
  • Nesting 'resources' under 'resources' incorrectly
3. Given this snippet from a Kubernetes API server log after enabling Secrets encryption at rest: 
"Encryption provider aescbc is enabled for resource secrets"
"Using key named key1 for encryption"
"Secrets stored in etcd are now encrypted"
What is the expected effect when retrieving a Secret via kubectl get secret?
medium
A. The Secret data is shown as base64-encoded encrypted strings
B. The Secret data is automatically decrypted and shown in base64-encoded plain text
C. The Secret cannot be retrieved until manual decryption is done
D. The Secret is deleted from etcd after retrieval

Solution

  1. Step 1: Understand encryption at rest vs API response

    Encryption at rest means data is encrypted in storage (etcd), but the API server decrypts it before sending to clients.

  2. Step 2: Determine what kubectl get secret shows

    kubectl shows the decrypted Secret data in base64-encoded form, which is normal for Secrets, not encrypted ciphertext.

  3. Final Answer:

    The Secret data is automatically decrypted and shown in base64-encoded plain text -> Option B

  4. Quick Check:

    Encryption at rest decrypts before API response [OK]
Hint: Encryption at rest is transparent to kubectl output [OK]
Common Mistakes:
  • Thinking Secrets remain encrypted when retrieved
  • Confusing base64 encoding with encryption
  • Assuming manual decryption is needed
4. You configured Secrets encryption at rest but notice that Secrets are still stored unencrypted in etcd. What is the most likely cause?
medium
A. The Secrets were created before enabling encryption and never updated
B. The encryption key is too short and rejected silently
C. The etcd cluster does not support encryption
D. The API server was not restarted after applying the encryption config

Solution

  1. Step 1: Recall how encryption config is applied

    The API server must be restarted to load the new encryption configuration and apply encryption to new Secrets.

  2. Step 2: Identify why Secrets remain unencrypted

    If the API server is not restarted, it continues to store Secrets unencrypted despite config changes.

  3. Final Answer:

    The API server was not restarted after applying the encryption config -> Option D

  4. Quick Check:

    Restart API server to apply encryption config [OK]
Hint: Always restart API server after changing encryption config [OK]
Common Mistakes:
  • Assuming existing Secrets auto-encrypt without update
  • Believing etcd cannot support encryption
  • Ignoring the need to restart API server
5. You want to rotate the encryption key used for Secrets encryption at rest without downtime. Which approach correctly achieves this?
hard
A. Add the new key as the first provider in the encryption config, keep the old key second, then restart the API server
B. Replace the old key with the new key in the config and restart the API server immediately
C. Delete all Secrets, update the key, then recreate Secrets encrypted with the new key
D. Update the key in etcd directly without changing the API server config

Solution

  1. Step 1: Understand key rotation in encryption config

    To rotate keys safely, add the new key first so new Secrets encrypt with it, and keep the old key to decrypt existing Secrets.

  2. Step 2: Apply config and restart API server

    Restarting the API server loads the new config. Existing Secrets remain decryptable with the old key, allowing smooth rotation.

  3. Final Answer:

    Add the new key as the first provider in the encryption config, keep the old key second, then restart the API server -> Option A

  4. Quick Check:

    New key first, old key second, restart API server [OK]
Hint: New key first, old key second in config for smooth rotation [OK]
Common Mistakes:
  • Replacing old key immediately causing decryption failures
  • Deleting Secrets instead of rotating keys
  • Modifying etcd data directly risking corruption