When I look at what is the benefits of using KMS, it shows that:
Use a key in a key vault for etcd encryption.
Bring your own keys.
Provide encryption at rest for secrets that are stored in etcd.
Rotate the keys in a key vault.
However, when we look deeper:
Provide encryption at rest for secrets that are stored in etcd
-> According to https://github.com/MicrosoftDocs/azure-docs/issues/114929 "AKS encrypts secrets in etcd by default. When you create a Kubernetes secret in AKS, the data is automatically encrypted at rest within the etcd store using a default encryption mechanism." ... "The use of KMS etcd encryption is not required for encryption, but provides additional control over the encryption mechanism and allows you to use a more secure key management system."
-> Also, "System" mode Node Pool are usually encrypted at rest by default using "Server-Side-Encryption", and users of AKS can also opt out for the "Host-based encryption". So the physical storage that contains the ETCD data being used, is encrypted at that "layer". It's more if a malicious actor manage to get access to the node(s) running ETCD and managed to get access to the data. In case a malicious actor get physical access to the physical storage, he would still need to decrypt the physical storage in order to access the data.
Rotate the keys in a key vault
With the "Secrets Store CSI Driver", it's already possible to have rotation of keys.
So from my understanding, KMS is mainly used:
When the customer may want want to manage the key that is used for the "etcd encryption"
When the customer may want to bring his own key in order to perform some specific encryption operations.
When I look at Kubernetes's official documentation the main use-case seems to be to encrypt secret.
Latter in the example, they also use it to encrypt ConfigMap, but it's generally not a best practise to store sensitive data within a ConfigMap.
Without KMS, using the Secrets Store CSI Driver, with rotation enabled, secrets are already encrypted at rest, if I understand it correctly.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
ID: f29e6da4-fd14-a166-e21e-6b87a0f491b8
Version Independent ID: b5ec3a1e-88c2-8dcb-05f7-226a633718a1
When I look at what is the benefits of using KMS, it shows that:
However, when we look deeper:
Provide encryption at rest for secrets that are stored in etcd -> According to https://github.com/MicrosoftDocs/azure-docs/issues/114929 "AKS encrypts secrets in etcd by default. When you create a Kubernetes secret in AKS, the data is automatically encrypted at rest within the etcd store using a default encryption mechanism." ... "The use of KMS etcd encryption is not required for encryption, but provides additional control over the encryption mechanism and allows you to use a more secure key management system." -> Also, "System" mode Node Pool are usually encrypted at rest by default using "Server-Side-Encryption", and users of AKS can also opt out for the "Host-based encryption". So the physical storage that contains the ETCD data being used, is encrypted at that "layer". It's more if a malicious actor manage to get access to the node(s) running ETCD and managed to get access to the data. In case a malicious actor get physical access to the physical storage, he would still need to decrypt the physical storage in order to access the data.
Rotate the keys in a key vault With the "Secrets Store CSI Driver", it's already possible to have rotation of keys.
So from my understanding, KMS is mainly used:
When I look at Kubernetes's official documentation the main use-case seems to be to encrypt secret. Latter in the example, they also use it to encrypt ConfigMap, but it's generally not a best practise to store sensitive data within a ConfigMap.
Without KMS, using the Secrets Store CSI Driver, with rotation enabled, secrets are already encrypted at rest, if I understand it correctly.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.