Inferensys

Glossary

etcd Encryption

The configuration that enables encryption at rest for data stored in the Kubernetes etcd key-value store, protecting sensitive information like Secrets from unauthorized access at the storage layer.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
SECRETS MANAGEMENT

What is etcd Encryption?

A critical security control that protects the confidentiality of all data stored within the Kubernetes backing store.

etcd Encryption is the configuration that enables encryption at rest for data stored in the Kubernetes etcd key-value store, protecting sensitive objects like Secrets, ConfigMaps, and custom resources from unauthorized access at the storage layer. It ensures that if physical storage media or etcd backups are compromised, the underlying data remains cryptographically unreadable without the correct decryption keys.

The mechanism operates by passing all API server write requests through an envelope encryption transformer before persisting them to etcd. Administrators define a EncryptionConfiguration manifest specifying a provider, such as aescbc or a Key Management Service (KMS) plugin, which encrypts the raw data and wraps the encryption key, ensuring a strict separation between the encrypted payload and the key material.

DATA AT REST PROTECTION

Key Features of etcd Encryption

Encryption at rest for etcd safeguards the most sensitive cluster data—Secrets, ConfigMaps, and state—from unauthorized access at the storage layer, a critical control for sovereign infrastructure.

01

Envelope Encryption Architecture

Kubernetes employs a layered envelope encryption scheme. A local Data Encryption Key (DEK) encrypts the plaintext object. This DEK is then encrypted (wrapped) by a remote Key Encryption Key (KEK) managed by an external KMS plugin. This separation ensures the raw DEK is never stored persistently in plaintext, limiting exposure if the local node is compromised.

AES-256-CBC
Default Cipher
02

KMS Plugin Integration

The EncryptionConfiguration API connects the API server to an external Key Management Service (KMS) via a gRPC plugin. This offloads key hierarchy management and rotation to a hardened, FIPS 140-2 validated system. The KMS plugin v2 improves reliability with status checks and key ID tracking, preventing writes if the remote KMS is unreachable.

gRPC
Plugin Protocol
03

Resource-Specific Encryption

Encryption is not all-or-nothing. The EncryptionConfiguration manifest specifies exactly which resources are encrypted using a resources array. This allows fine-grained control, targeting only high-sensitivity objects like Secrets and CustomResourceDefinitions containing proprietary data, while leaving low-risk resources unencrypted for performance.

Secrets
Primary Target
04

Provider-Based Configuration

The API server supports multiple encryption providers, defined in a strict priority order. Common providers include:

  • aescbc: Recommended local provider using AES-256-CBC with PKCS#7 padding.
  • kms: Delegates encryption to an external KMS plugin.
  • secretbox: Uses XSalsa20 and Poly1305 for authenticated encryption.
  • identity: A no-op provider that passes data through as plaintext, used for staged rollouts.
4
Core Providers
05

Key Rotation and Rewrite

Rotating encryption keys is a two-step process. First, a new key is added to the top of the provider list, causing all new writes to use it. Second, a full storage rewrite is performed via kubectl get --all-namespaces -o json | kubectl replace -f - to re-encrypt all existing objects with the new key. This ensures no stale ciphertext remains, enabling safe retirement of old keys.

2-Step
Rotation Process
06

Preventing Secret Reuse

Without encryption at rest, a compromised etcd backup or disk snapshot exposes all Secret data in plaintext. Encryption mitigates this by ensuring that even with physical access to the underlying storage, the data remains unintelligible without the KEK. This is a foundational control for data residency and sovereign cloud compliance frameworks.

Zero Trust
Storage Layer
ETCD ENCRYPTION AT REST

Frequently Asked Questions

Critical questions about securing the Kubernetes control plane's backing store through encryption at rest, covering configuration, key management, and operational best practices for protecting sensitive cluster data.

etcd encryption at rest is a Kubernetes feature that encrypts data stored in the etcd key-value store before it is written to disk, ensuring that sensitive information like Secrets, ConfigMaps, and custom resources cannot be read by anyone with direct access to the underlying storage volume. Without this encryption, an attacker who gains access to the etcd data directory—whether through a compromised node, a misconfigured backup, or a decommissioned drive—can extract all cluster secrets in plaintext. The mechanism operates at the API server level using a configuration file that specifies encryption providers and their corresponding keys. When enabled, the kube-apiserver encrypts objects before persisting them to etcd and decrypts them upon read requests, making it a foundational control for data-at-rest security in any production cluster, especially those in regulated environments or air-gapped deployments where physical access controls may be the primary defense layer.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.