Home Explore Blog CI



kubernetes
2nd chunk of `content/en/docs/tasks/administer-cluster/decrypt-data.md`
ae68e02b379bfafe0da903a2cd4866fd99580cfb2391dd1d0000000100000850
The `kube-apiserver` process accepts an argument `--encryption-provider-config`
that specifies a path to a configuration file. The contents of that file, if you specify one,
control how Kubernetes API data is encrypted in etcd.
If it is not specified, you do not have encryption at rest enabled.

The format of that configuration file is YAML, representing a configuration API kind named
[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-config.v1/).
You can see an example configuration
in [Encryption at rest configuration](/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration).

If `--encryption-provider-config` is set, check which resources (such as `secrets`) are
configured for encryption, and what provider is used.
Make sure that the preferred provider for that resource type is **not** `identity`; you
only set `identity` (_no encryption_) as default when you want to disable encryption at
rest.
Verify that the first-listed provider for a resource is something **other** than `identity`,
which means that any new information written to resources of that type will be encrypted as
configured. If you do see `identity` as the first-listed provider for any resource, this
means that those resources are being written out to etcd without encryption.

## Decrypt all data {#decrypting-all-data}

This example shows how to stop encrypting the Secret API at rest. If you are encrypting
other API kinds, adjust the steps to match.

### Locate the encryption configuration file

First, find the API server configuration files. On each control plane node, static Pod manifest
for the kube-apiserver specifies a command line argument, `--encryption-provider-config`.
You are likely to find that this file is mounted into the static Pod using a
[`hostPath`](/docs/concepts/storage/volumes/#hostpath) volume mount. Once you locate the volume
you can find the file on the node filesystem and inspect it.

### Configure the API server to decrypt objects

To disable encryption at rest, place the `identity` provider as the first
entry in your encryption configuration file.
Title: Decrypting Kubernetes API Data: Configuration and Steps
Summary
This section explains how to decrypt all data at rest in Kubernetes, using Secrets as an example. It details how to locate the encryption configuration file used by the `kube-apiserver` process and how to modify it. To disable encryption, the `identity` provider should be placed as the first entry in the encryption configuration file, ensuring that new data is written to etcd without encryption.