Configure Kubernetes secrets encryption provider

You can configure the encryption provider for Kubernetes secrets at rest in etcd across your MKE cluster. This configuration supports compliance with modern security policies, enables migration to AES-GCM, and maintains compatibility with existing clusters and secrets.

Encryption providers overview

The encryption provider controls how Kubernetes secrets are encrypted at rest in etcd. MKE supports the following Kubernetes encryption providers:

Provider

Status

Description

aescbc

Default

Backward-compatible provider used in earlier MKE versions.

aesgcm

Recommended

Modern AEAD (authenticated encryption with associated data) cipher required by many enterprise policies.

Configure the encryption provider

Set the encryption provider in the MKE configuration file to one of the following values:

  • aescbc (if you do not specify a value, MKE uses aescbc by default)

  • aesgcm

[cluster_config]
secrets_encryption_provider = "aesgcm"

Provider switching

MKE configures both encryption providers in the Kubernetes encryption configuration. The primary provider (listed first) is used to encrypt new secrets. The secondary provider remains available to decrypt existing secrets.

Important

After switching the provider to aesgcm, only new secrets are encrypted with AES-GCM. Existing secrets continue to use AES-CBC until you re-encrypt them.

Re-encrypt existing secrets (optional)

Switching the encryption provider applies only to newly created secrets. Existing secrets remain encrypted with the previous provider and are read using the fallback provider.

Although this is fully supported and safe, some organizations may require all secrets to be re-encrypted using the newly selected provider (for example, when moving from AES-CBC to AES-GCM for compliance reasons).

Re-encrypt all secrets

You can force Kubernetes to rewrite every secret by performing a bulk replace operation.

This operation does not change secret contents. It causes the API server to rewrite them using the currently configured encryption provider.

Run the following command to re-encrypt all secrets using the primary provider in the Kubernetes encryption configuration (encryption.cfg).

The command applies the following workflow:

  1. Retrieves all secrets from all namespaces.

  2. Sends them back unchanged to the API server.

  3. Causes the API server to rewrite them using the primary configured provider.

kubectl get secrets --all-namespaces -o json | kubectl replace -f -

Verify re-encryption

To confirm secrets are now encrypted with the new provider, inspect the stored data in etcd. Run the following command on a controller node (where the ucp-kv etcd container runs):

docker exec -e ETCDCTL_API=3 ucp-kv etcdctl \
  --endpoints=https://127.0.0.1:2379 \
  get /registry/secrets/<namespace>/<secret-name> | strings

Encrypted values in etcd use the following prefixes:

Provider

Prefix

AES-GCM

k8s:enc:aesgcm:v1:key:

AES-CBC

k8s:enc:aescbc:v1:key: