The value of the "KMS" is quite confusing

[tdefise]

When I look at what is the benefits of using KMS, it shows that:

• Use a key in a key vault for etcd encryption.
• Bring your own keys.
• Provide encryption at rest for secrets that are stored in etcd.
• Rotate the keys in a key vault.

However, when we look deeper:

• Provide encryption at rest for secrets that are stored in etcd -> According to https://github.com/MicrosoftDocs/azure-docs/issues/114929 "AKS encrypts secrets in etcd by default. When you create a Kubernetes secret in AKS, the data is automatically encrypted at rest within the etcd store using a default encryption mechanism." ... "The use of KMS etcd encryption is not required for encryption, but provides additional control over the encryption mechanism and allows you to use a more secure key management system." -> Also, "System" mode Node Pool are usually encrypted at rest by default using "Server-Side-Encryption", and users of AKS can also opt out for the "Host-based encryption". So the physical storage that contains the ETCD data being used, is encrypted at that "layer". It's more if a malicious actor manage to get access to the node(s) running ETCD and managed to get access to the data. In case a malicious actor get physical access to the physical storage, he would still need to decrypt the physical storage in order to access the data.

• Rotate the keys in a key vault With the "Secrets Store CSI Driver", it's already possible to have rotation of keys.

So from my understanding, KMS is mainly used:

• When the customer may want want to manage the key that is used for the "etcd encryption"
• When the customer may want to bring his own key in order to perform some specific encryption operations.

When I look at Kubernetes's official documentation the main use-case seems to be to encrypt secret. Latter in the example, they also use it to encrypt ConfigMap, but it's generally not a best practise to store sensitive data within a ConfigMap.

Without KMS, using the Secrets Store CSI Driver, with rotation enabled, secrets are already encrypted at rest, if I understand it correctly.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: f29e6da4-fd14-a166-e21e-6b87a0f491b8
• Version Independent ID: b5ec3a1e-88c2-8dcb-05f7-226a633718a1
• Content: Use Key Management Service etcd encryption in Azure Kubernetes Service - Azure Kubernetes Service
• Content Source: articles/aks/use-kms-etcd-encryption.md
• Service: azure-kubernetes-service
• Sub-service: aks-security
• GitHub Login: @schaffererin
• Microsoft Alias: magoedte

[TPavanBalaji]

@tdefise Thanks for your feedback! We will investigate and update as appropriate.

[schaffererin]

reassign: schaffererin