Encryption at Rest in etcd in Embedded Installation


We had a customer ask us if it’s possible to do encryption at-rest of secrets (and other resources) within the cluster when using kurl to do an embedded cluster install.

Is this something that is configurable on embedded cluster installation (or after)? Or is this something that is out-of-scope for the embedded installations?

Referring to something along the lines of: Encrypting Confidential Data at Rest | Kubernetes



Currently that is out of scope for kURL. Part of the reason for that is to do this properly you need to store the encryption key somewhere off the kURL machine or your encrypted at rest data is stored next to the key that can decrypt them. If someone needs that level of security it would be better for them to bring their own cluster so they can ensure this and likely other security details are fully under their control.