Copied secrets are stored unencrypted by default

[glyn]

The README should mention that using https://github.com/contentful-labs/kube-secret-syncer alone will result in external secrets being stored unencrypted in etcd and therefore open to attack (either via the etcd server or via backups of etcd data).

A solution, which should probably be recommended in the README, is to use a KMS plugin to encrypt the secrets prior to them being stored in etcd.

(See https://github.com/godaddy/kubernetes-external-secrets/issues/538.)

[yannh]

Hi Glyn, this is correct. There are different solutions to encrypt the secrets prior to storing them in etcd. My understanding though is that - if stored encrypted, the pods accessing the secrets would require a way to decrypt the secrets. Though some googling brought me here https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/ which seems to indicate that this is supported by Kubernetes through a plugin now? Is that what you are referring to?

[glyn]

Yes, that's the reference to KMS plugins. Secrets are decrypted by Kubernetes using the KMS plugin and then injected into pods as usual.

[yannh]

Fun stuff. Probably not massively hard to implement in kube-secret-syncer either, though I admit right now this is not a priority for us. Definitely interested in pull requests though. I ll leave this ticket open while the documentation is not updated.