Home Explore Blog Models CI



kubernetes
9th chunk of `content/en/docs/tasks/administer-cluster/encrypt-data.md`
16f71cdd743737a3dd89389bbb9897e25ddbdbc40977be000000000100000c23
   read
   [decoding a Secret](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)
   to learn how to completely decode the Secret.

### Ensure all relevant data are encrypted {#ensure-all-secrets-are-encrypted}

It's often not enough to make sure that new objects get encrypted: you also want that
encryption to apply to the objects that are already stored.

For this example, you have configured your cluster so that Secrets are encrypted on write.
Performing a replace operation for each Secret will encrypt that content at rest,
where the objects are unchanged.

You can make this change across all Secrets in your cluster:

```shell
# Run this as an administrator that can read and write all Secrets
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
```

The command above reads all Secrets and then updates them with the same data, in order to
apply server side encryption.

{{< note >}}
If an error occurs due to a conflicting write, retry the command.
It is safe to run that command more than once.

For larger clusters, you may wish to subdivide the Secrets by namespace,
or script an update.
{{< /note >}}

## Prevent plain text retrieval {#cleanup-all-secrets-encrypted}

If you want to make sure that the only access to a particular API kind is done using
encryption, you can remove the API server's ability to read that API's backing data
as plaintext.

{{< warning >}}
Making this change prevents the API server from retrieving resources that are marked
as encrypted at rest, but are actually stored in the clear.

When you have configured encryption at rest for an API (for example: the API kind
`Secret`, representing `secrets` resources in the core API group), you **must** ensure
that all those resources in this cluster really are encrypted at rest. Check this before
you carry on with the next steps.
{{< /warning >}}

Once all Secrets in your cluster are encrypted, you can remove the `identity`
part of the encryption configuration. For example:

{{< highlight yaml "linenos=false,hl_lines=12" >}}
---
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <BASE 64 ENCODED SECRET>
      - identity: {} # REMOVE THIS LINE
{{< /highlight >}}

…and then restart each API server in turn. This change prevents the API server
from accessing a plain-text Secret, even by accident.

## Rotate a decryption key {#rotating-a-decryption-key}

Changing an encryption key for Kubernetes without incurring downtime requires a multi-step operation,
especially in the presence of a highly-available deployment where multiple `kube-apiserver` processes
are running.

1. Generate a new key and add it as the second key entry for the current provider on all
   control plane nodes.
1. Restart **all** `kube-apiserver` processes, to ensure each server can decrypt
   any data that are encrypted with the new key.
1. Make a secure backup of the new encryption key. If you lose all copies of this key you would
Title: Preventing Plain Text Retrieval and Rotating Encryption Keys
Summary
This section details how to prevent API servers from retrieving plaintext data by removing the `identity` provider from the encryption configuration after ensuring all Secrets are encrypted. It emphasizes the importance of verifying that all resources are encrypted before making this change, as it will prevent access to any resources stored in the clear. Additionally, the section outlines a multi-step process for rotating encryption keys without downtime, which includes generating a new key, adding it as the second key entry, restarting all `kube-apiserver` processes, and making a secure backup of the new encryption key.