|
| 1 | +--- |
| 2 | +title: Decrypt Confidential Data that is Already Encrypted at Rest |
| 3 | +content_type: task |
| 4 | +weight: 215 |
| 5 | +--- |
| 6 | + |
| 7 | +<!-- overview --> |
| 8 | + |
| 9 | +All of the APIs in Kubernetes that let you write persistent API resource data support |
| 10 | +at-rest encryption. For example, you can enable at-rest encryption for |
| 11 | +{{< glossary_tooltip text="Secrets" term_id="secret" >}}. |
| 12 | +This at-rest encryption is additional to any system-level encryption for the |
| 13 | +etcd cluster or for the filesystem(s) on hosts where you are running the |
| 14 | +kube-apiserver. |
| 15 | + |
| 16 | +This page shows how to switch from encryption of API data at rest, so that API data |
| 17 | +are stored unencrypted. You might want to do this to improve performance; usually, |
| 18 | +though, if it was a good idea to encrypt some data, it's also a good idea to leave them |
| 19 | +encrypted. |
| 20 | + |
| 21 | +{{< note >}} |
| 22 | +This task covers encryption for resource data stored using the |
| 23 | +{{< glossary_tooltip text="Kubernetes API" term_id="kubernetes-api" >}}. For example, you can |
| 24 | +encrypt Secret objects, including the key-value data they contain. |
| 25 | + |
| 26 | +If you wanted to manage encryption for data in filesystems that are mounted into containers, you instead |
| 27 | +need to either: |
| 28 | + |
| 29 | +- use a storage integration that provides encrypted |
| 30 | + {{< glossary_tooltip text="volumes" term_id="volume" >}} |
| 31 | +- encrypt the data within your own application |
| 32 | +{{< /note >}} |
| 33 | + |
| 34 | +## {{% heading "prerequisites" %}} |
| 35 | + |
| 36 | +* {{< include "task-tutorial-prereqs.md" >}} |
| 37 | + |
| 38 | +* This task assumes that you are running the Kubernetes API server as a |
| 39 | + {{< glossary_tooltip text="static pod" term_id="static-pod" >}} on each control |
| 40 | + plane node. |
| 41 | + |
| 42 | +* Your cluster's control plane **must** use etcd v3.x (major version 3, any minor version). |
| 43 | + |
| 44 | +* To encrypt a custom resource, your cluster must be running Kubernetes v1.26 or newer. |
| 45 | + |
| 46 | +* You should have some API data that are already encrypted. |
| 47 | + |
| 48 | +{{< version-check >}} |
| 49 | + |
| 50 | + |
| 51 | +<!-- steps --> |
| 52 | + |
| 53 | +## Determine whether encryption at rest is already enabled |
| 54 | + |
| 55 | +By default, the API server uses an `identity` provider that stores plain-text representations |
| 56 | +of resources. |
| 57 | +**The default `identity` provider does not provide any confidentiality protection.** |
| 58 | + |
| 59 | +The `kube-apiserver` process accepts an argument `--encryption-provider-config` |
| 60 | +that specifies a path to a configuration file. The contents of that file, if you specify one, |
| 61 | +control how Kubernetes API data is encrypted in etcd. |
| 62 | +If it is not specified, you do not have encryption at rest enabled. |
| 63 | + |
| 64 | +The format of that configuration file is YAML, representing a configuration API kind named |
| 65 | +[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). |
| 66 | +You can see an example configuration |
| 67 | +in [Encryption at rest configuration](/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration). |
| 68 | + |
| 69 | +If `--encryption-provider-config` is set, check which resources (such as `secrets`) are |
| 70 | +configured for encryption, and what provider is used. |
| 71 | +Make sure that the preferred provider for that resource type is **not** `identity`; you |
| 72 | +only set `identity` (_no encryption_) as default when you want to disable encryption at |
| 73 | +rest. |
| 74 | +Verify that the first-listed provider for a resource is something **other** than `identity`, |
| 75 | +which means that any new information written to resources of that type will be encrypted as |
| 76 | +configured. If you do see `identity` as the first-listed provider for any resource, this |
| 77 | +means that those resources are being written out to etcd without encryption. |
| 78 | + |
| 79 | +## Decrypt all data {#decrypting-all-data} |
| 80 | + |
| 81 | +This example shows how to stop encrypting the Secret API at rest. If you are encrypting |
| 82 | +other API kinds, adjust the steps to match. |
| 83 | + |
| 84 | +### Locate the encryption configuration file |
| 85 | + |
| 86 | +First, find the API server configuration files. On each control plane node, static Pod manifest |
| 87 | +for the kube-apiserver specifies a command line argument, `--encryption-provider-config`. |
| 88 | +You are likely to find that this file is mounted into the static Pod using a |
| 89 | +[`hostPath`](/docs/concepts/storage/volumes/#hostpath) volume mount. Once you locate the volume |
| 90 | +you can find the file on the node filesystem and inspect it. |
| 91 | + |
| 92 | +### Configure the API server to decrypt objects |
| 93 | + |
| 94 | +To disable encryption at rest, place the `identity` provider as the first |
| 95 | +entry in your encryption configuration file. |
| 96 | + |
| 97 | +For example, if your existing EncryptionConfiguration file reads: |
| 98 | +```yaml |
| 99 | +--- |
| 100 | +apiVersion: apiserver.config.k8s.io/v1 |
| 101 | +kind: EncryptionConfiguration |
| 102 | +resources: |
| 103 | + - resources: |
| 104 | + - secrets |
| 105 | + providers: |
| 106 | + - aescbc: |
| 107 | + keys: |
| 108 | + # Do not use this (invalid) example key for encryption |
| 109 | + - name: example |
| 110 | + secret: 2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQ== |
| 111 | +``` |
| 112 | +
|
| 113 | +then change it to: |
| 114 | +
|
| 115 | +```yaml |
| 116 | +--- |
| 117 | +apiVersion: apiserver.config.k8s.io/v1 |
| 118 | +kind: EncryptionConfiguration |
| 119 | +resources: |
| 120 | + - resources: |
| 121 | + - secrets |
| 122 | + providers: |
| 123 | + - identity: {} # add this line |
| 124 | + - aescbc: |
| 125 | + keys: |
| 126 | + - name: example |
| 127 | + secret: 2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQ== |
| 128 | +``` |
| 129 | +
|
| 130 | +and restart the kube-apiserver Pod on this node. |
| 131 | +
|
| 132 | +### Reconfigure other control plane hosts {#api-server-config-update-more-1} |
| 133 | +
|
| 134 | +If you have multiple API servers in your cluster, you should deploy the changes in turn to each API server. |
| 135 | +
|
| 136 | +Make sure that you use the same encryption configuration on each control plane host. |
| 137 | +
|
| 138 | +### Force decryption |
| 139 | +
|
| 140 | +Then run the following command to force decryption of all Secrets: |
| 141 | +
|
| 142 | +```shell |
| 143 | +# If you are decrypting a different kind of object, change "secrets" to match. |
| 144 | +kubectl get secrets --all-namespaces -o json | kubectl replace -f - |
| 145 | +``` |
| 146 | + |
| 147 | +Once you have replaced **all** existing encrypted resources with backing data that |
| 148 | +don't use encryption, you can remove the encryption settings from the |
| 149 | +`kube-apiserver`. |
| 150 | + |
| 151 | +The command line options to remove are: |
| 152 | + |
| 153 | +- `--encryption-provider-config` |
| 154 | +- `--encryption-provider-config-automatic-reload` |
| 155 | + |
| 156 | +Restart the kube-apiserver Pod again to apply the new configuration. |
| 157 | + |
| 158 | +### Reconfigure other control plane hosts {#api-server-config-update-more-2} |
| 159 | + |
| 160 | +If you have multiple API servers in your cluster, you should again deploy the changes in turn to each API server. |
| 161 | + |
| 162 | +Make sure that you use the same encryption configuration on each control plane host. |
| 163 | + |
| 164 | +## {{% heading "whatsnext" %}} |
| 165 | + |
| 166 | +* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/). |
0 commit comments