Secrets Encryption Config

K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:

  • Generate an AES-CBC key
  • Generate an encryption config file with the generated key
  • Pass the config to the KubeAPI as encryption-provider-config

Secrets Encryption - 图1tip

Secrets-encryption cannot be enabled on an existing server without restarting it.
Use curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption if installing from script, or other methods described in Configuration Options.

Example of the encryption config file:

  1. {
  2.   "kind": "EncryptionConfiguration",
  3.   "apiVersion": "apiserver.config.k8s.io/v1",
  4.   "resources": [
  5.     {
  6.       "resources": [
  7.         "secrets"
  8.       ],
  9.       "providers": [
  10.         {
  11.           "aescbc": {
  12.             "keys": [
  13.               {
  14.                 "name": "aescbckey",
  15.                 "secret": "xxxxxxxxxxxxxxxxxxx"
  16.               }
  17.             ]
  18.           }
  19.         },
  20.         {
  21.           "identity": {}
  22.         }
  23.       ]
  24.     }
  25.   ]
  26. }

Secrets Encryption Tool

K3s contains a utility tool secrets-encrypt, which enables automatic control over the following:

  • Disabling/Enabling secrets encryption
  • Adding new encryption keys
  • Rotating and deleting encryption keys
  • Reencrypting secrets

For more information, see the k3s secrets-encrypt command documentation.