<!-- localization note: if it makes sense to adapt this table to work for your localization,
please do that. Each sentence in the English original should have a direct equivalent in the adapted
layout, although this may not always be possible -->
<table class="complex-layout">
<caption style="display: none;">Providers for Kubernetes encryption at rest</caption>
<thead>
<tr>
<th>Name</th>
<th>Encryption</th>
<th>Strength</th>
<th>Speed</th>
<th>Key length</th>
</tr>
</thead>
<tbody id="encryption-providers-identity">
<!-- list identity first, even when the remaining rows are sorted alphabetically -->
<tr>
<th rowspan="2" scope="row"><tt>identity</tt></th>
<td><strong>None</strong></td>
<td>N/A</td>
<td>N/A</td>
<td>N/A</td>
</tr>
<tr>
<td colspan="4">Resources written as-is without encryption. When set as the first provider, the resource will be decrypted as new values are written. Existing encrypted resources are <strong>not</strong> automatically overwritten with the plaintext data.
The <tt>identity</tt> provider is the default if you do not specify otherwise.</td>
</tr>
</tbody>
<tbody id="encryption-providers-that-encrypt">
<tr>
<th rowspan="2" scope="row"><tt>aescbc</tt></th>
<td>AES-CBC with <a href="https://datatracker.ietf.org/doc/html/rfc2315">PKCS#7</a> padding</td>
<td>Weak</td>
<td>Fast</td>
<td>16, 24, or 32-byte</td>
</tr>
<tr>
<td colspan="4">Not recommended due to CBC's vulnerability to padding oracle attacks. Key material accessible from control plane host.</td>
</tr>
<tr>
<th rowspan="2" scope="row"><tt>aesgcm</tt></th>
<td>AES-GCM with random nonce</td>
<td>Must be rotated every 200,000 writes</td>
<td>Fastest</td>
<td>16, 24, or 32-byte</td>
</tr>
<tr>
<td colspan="4">Not recommended for use except when an automated key rotation scheme is implemented. Key material accessible from control plane host.</td>
</tr>
<tr>
<th rowspan="2" scope="row"><tt>kms</tt> v1 <em>(deprecated since Kubernetes v1.28)</em></th>
<td>Uses envelope encryption scheme with DEK per resource.</td>
<td>Strongest</td>
<td>Slow (<em>compared to <tt>kms</tt> version 2</em>)</td>
<td>32-bytes</td>
</tr>
<tr>
<td colspan="4">
Data is encrypted by data encryption keys (DEKs) using AES-GCM;
DEKs are encrypted by key encryption keys (KEKs) according to
configuration in Key Management Service (KMS).
Simple key rotation, with a new DEK generated for each encryption, and
KEK rotation controlled by the user.
<br />
Read how to <a href="/docs/tasks/administer-cluster/kms-provider#configuring-the-kms-provider-kms-v1">configure the KMS V1 provider</a>.
</td>
</tr>
<tr>
<th rowspan="2" scope="row"><tt>kms</tt> v2 </th>
<td>Uses envelope encryption scheme with DEK per API server.</td>
<td>Strongest</td>
<td>Fast</td>
<td>32-bytes</td>
</tr>
<tr>
<td colspan="4">
Data is encrypted by data encryption keys (DEKs) using AES-GCM; DEKs
are encrypted by key encryption keys (KEKs) according to configuration
in Key Management Service (KMS).
Kubernetes generates a new DEK per encryption from a secret seed.
The seed is rotated whenever the KEK is rotated.<br/>
A good choice if using a third party tool for key management.
Available as stable from Kubernetes v1.29.
<br />
Read how to <a href="/docs/tasks/administer-cluster/kms-provider#configuring-the-kms-provider-kms-v2">configure the KMS V2 provider</a>.
</td>
</tr>
<tr>
<th rowspan="2" scope="row"><tt>secretbox</tt></th>
<td>XSalsa20 and Poly1305</td>
<td>Strong</td>
<td>Faster</td>
<td>32-byte</td>
</tr>
<tr>
<td colspan="4">Uses relatively new encryption technologies that may not be considered acceptable in environments that require high levels of review. Key material accessible from control plane host.</td>
</tr>
</tbody>
</table>
The `identity` provider is the default if you do not specify otherwise. **The `identity` provider does not