etcd Encryption is the configuration that enables encryption at rest for data stored in the Kubernetes etcd key-value store, protecting sensitive objects like Secrets, ConfigMaps, and custom resources from unauthorized access at the storage layer. It ensures that if physical storage media or etcd backups are compromised, the underlying data remains cryptographically unreadable without the correct decryption keys.
Glossary
etcd Encryption

What is etcd Encryption?
A critical security control that protects the confidentiality of all data stored within the Kubernetes backing store.
The mechanism operates by passing all API server write requests through an envelope encryption transformer before persisting them to etcd. Administrators define a EncryptionConfiguration manifest specifying a provider, such as aescbc or a Key Management Service (KMS) plugin, which encrypts the raw data and wraps the encryption key, ensuring a strict separation between the encrypted payload and the key material.
Key Features of etcd Encryption
Encryption at rest for etcd safeguards the most sensitive cluster data—Secrets, ConfigMaps, and state—from unauthorized access at the storage layer, a critical control for sovereign infrastructure.
Envelope Encryption Architecture
Kubernetes employs a layered envelope encryption scheme. A local Data Encryption Key (DEK) encrypts the plaintext object. This DEK is then encrypted (wrapped) by a remote Key Encryption Key (KEK) managed by an external KMS plugin. This separation ensures the raw DEK is never stored persistently in plaintext, limiting exposure if the local node is compromised.
KMS Plugin Integration
The EncryptionConfiguration API connects the API server to an external Key Management Service (KMS) via a gRPC plugin. This offloads key hierarchy management and rotation to a hardened, FIPS 140-2 validated system. The KMS plugin v2 improves reliability with status checks and key ID tracking, preventing writes if the remote KMS is unreachable.
Resource-Specific Encryption
Encryption is not all-or-nothing. The EncryptionConfiguration manifest specifies exactly which resources are encrypted using a resources array. This allows fine-grained control, targeting only high-sensitivity objects like Secrets and CustomResourceDefinitions containing proprietary data, while leaving low-risk resources unencrypted for performance.
Provider-Based Configuration
The API server supports multiple encryption providers, defined in a strict priority order. Common providers include:
- aescbc: Recommended local provider using AES-256-CBC with PKCS#7 padding.
- kms: Delegates encryption to an external KMS plugin.
- secretbox: Uses XSalsa20 and Poly1305 for authenticated encryption.
- identity: A no-op provider that passes data through as plaintext, used for staged rollouts.
Key Rotation and Rewrite
Rotating encryption keys is a two-step process. First, a new key is added to the top of the provider list, causing all new writes to use it. Second, a full storage rewrite is performed via kubectl get --all-namespaces -o json | kubectl replace -f - to re-encrypt all existing objects with the new key. This ensures no stale ciphertext remains, enabling safe retirement of old keys.
Preventing Secret Reuse
Without encryption at rest, a compromised etcd backup or disk snapshot exposes all Secret data in plaintext. Encryption mitigates this by ensuring that even with physical access to the underlying storage, the data remains unintelligible without the KEK. This is a foundational control for data residency and sovereign cloud compliance frameworks.
Frequently Asked Questions
Critical questions about securing the Kubernetes control plane's backing store through encryption at rest, covering configuration, key management, and operational best practices for protecting sensitive cluster data.
etcd encryption at rest is a Kubernetes feature that encrypts data stored in the etcd key-value store before it is written to disk, ensuring that sensitive information like Secrets, ConfigMaps, and custom resources cannot be read by anyone with direct access to the underlying storage volume. Without this encryption, an attacker who gains access to the etcd data directory—whether through a compromised node, a misconfigured backup, or a decommissioned drive—can extract all cluster secrets in plaintext. The mechanism operates at the API server level using a configuration file that specifies encryption providers and their corresponding keys. When enabled, the kube-apiserver encrypts objects before persisting them to etcd and decrypts them upon read requests, making it a foundational control for data-at-rest security in any production cluster, especially those in regulated environments or air-gapped deployments where physical access controls may be the primary defense layer.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the critical components and complementary security controls that form a complete encryption strategy for Kubernetes' backing data store.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us