Sunday, February 10, 2019

Google encrypts Kubernetes secrets with Cloud KMS

Google Cloud, which was already encrypting data at rest by default, including data in Google Kubernetes Engine (GKE), is adding application-layer secrets encryption using the same keys in its hosted Cloud Key Management Service (KMS).


Application-layer secrets encryption, which is now in beta in GKE, protects secrets with envelope encryption: secrets are encrypted locally in AES-CBC mode with a local data encryption key, and the data encryption key is encrypted with a key encryption key managed in Cloud KMS as the root of trust.

Google Cloud said the new capability provides flexibility for specific security models.

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-encrypting-kubernetes-secrets-with-cloud-kms


See also