Encrypting secrets at the application layer

This page explains how to encrypt Kubernetes Secrets at the application layer using a key you manage in Cloud Key Management Service (Cloud KMS). Since this feature relies on functionality from Cloud KMS, you should familiarize yourself with key rotation and envelope encryption.

Overview

By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption for you without any additional action on your part.

Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key managed with Cloud KMS to encrypt data at the application layer. This protects against attackers who gain access to an offline copy of etcd.

To use Application-layer Secrets Encryption, you must first create a Cloud KMS key and give the GKE service account access to the key. The key must be in the same location as the cluster to decrease latency and to prevent cases where resources depend on services spread across multiple failure domains. Then, you can enable the feature on a new or existing cluster by specifying the key you would like to use.

Envelope encryption

Kubernetes offers envelope encryption of Secrets with a KMS provider, meaning that a local key, commonly called a data encryption key (DEK), is used to encrypt the Secrets. The DEK itself is encrypted with another key called the key encryption key. The key encryption key is not stored by Kubernetes.

Envelope encryption has two main benefits:

• The key encryption key can be rotated without requiring re-encryption of all the Secrets. This means that you can more easily follow the best practice of regular key rotation, without a significant impact on performance.

• Secrets that are stored in Kubernetes can rely on an external root of trust. This means that you can use a central root of trust, for example a Hardware Security Module, for all your Secrets, and that an adversary accessing your containers off line isn't able to obtain your Secrets.

With Application-layer Secrets Encryption in GKE, your Secrets are encrypted locally, using the AES-CBC provider, with local DEKs, and the DEKs are encrypted with a key encryption key that you manage in Cloud KMS.

To learn more about envelope encryption, see Envelope encryption.

What happens when you create a Secret

When you create a new Secret, here's what happens:

• The Kubernetes API server generates a unique DEK for the Secret by using a random number generator.

• The Kubernetes API server uses the DEK locally to encrypt the Secret.

• The KMS plugin sends the DEK to Cloud KMS for encryption. The KMS plugin uses your project's GKE service account to authenticate to Cloud KMS.

• Cloud KMS encrypts the DEK, and sends it back to the KMS plugin.

• The Kubernetes API server saves the encrypted Secret and the encrypted DEK. The plaintext DEK is not saved to disk.

When a client requests a Secret from the Kubernetes API server, the process described above is reversed.

What happens when you destroy a Key

When you destroy a key in Cloud KMS used to encrypt a Secret in GKE, that Secret is no longer available. Unless using a Service Account Token Volume Projection, Service Accounts used by GKE also use Secrets, and if a key is destroyed these become unavailable. The inability to access these means that the cluster will fail to start.

Prior to destroying a key, it is recommended that you verify if it is being used by your cluster. You can also create an alerting policy for key destruction in Cloud KMS.

Before you begin

• To do the exercises in this topic, you need two Google Cloud projects:

  • Key project: This is where you create a key encryption key.

  • Cluster project: This is where you create a cluster that enables Application-layer Secrets Encryption.

• In your key project, ensure that you have enabled the Cloud KMS API.

  Enable Cloud KMS API

• In your key project, the user who creates the key ring and key needs the following IAM permissions:

  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.setIamPolicy

  These permissions (and many more) are granted to the pre-defined roles/cloudkms.admin Identity and Access Management role. You can learn more about granting permissions to manage keys in the Cloud KMS documentation.

• In your cluster project, ensure that you have enabled the Google Kubernetes Engine API.

  Enable Google Kubernetes Engine API

• Ensure that you have installed the Cloud SDK.

• Update gcloud to the latest version:

  gcloud components update

Creating a Cloud KMS key

When you create key ring, specify a location that matches the location of your GKE cluster:

• A zonal cluster should use a key ring from a superset location. For example, a cluster in the zone us-central1-a can only use a key in the region us-central1.

• A regional cluster should use a key ring from the same location. For example, a cluster in the region asia-northeast1 should be protected with a key ring from region asia-northeast1.

• The Cloud KMS global region is not supported for use with GKE.

You can use the gcloud tool or the Google Cloud Console.

gcloud kms keyrings create RING_NAME \
    --location LOCATION \
    --project KEY_PROJECT_ID

gcloud kms keys create KEY_NAME \
    --location LOCATION \
    --keyring RING_NAME \
    --purpose encryption \
    --project KEY_PROJECT_ID

Grant permission to use the key

The GKE service account in your cluster project has this name:

service-CLUSTER_PROJECT_ID@container-engine-robot.iam.gserviceaccount.com

Replace CLUSTER_PROJECT_ID with your cluster project ID.

To grant access to the service account, you can use the Google Cloud Console or the gcloud command.

gcloud kms keys add-iam-policy-binding KEY_NAME \
  --location LOCATION \
  --keyring RING_NAME \
  --member serviceAccount:SERVICE_ACCOUNT_NAME \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
  --project KEY_PROJECT_ID

Enabling Application-layer Secrets Encryption

On a new cluster

You can create a new cluster by using the Google Cloud Console or the gcloud tool.

gcloud container clusters create CLUSTER_NAME \
  --cluster-version=latest \
  --zone ZONE \
  --database-encryption-key projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
  --project CLUSTER_PROJECT_ID

On an existing cluster

You can use the gcloud tool or the Google Cloud Console to update an existing cluster to use Application-layer Secrets Encryption.

gcloud container clusters update CLUSTER_NAME \
  --zone ZONE \
  --database-encryption-key projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
  --project CLUSTER_PROJECT_ID

Updating a Cloud KMS key

gcloud container clusters update CLUSTER_NAME \
  --zone ZONE \
  --database-encryption-key projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
  --project CLUSTER_PROJECT_ID

Disabling Applications-layer Secrets Encryption

You can use the gcloud tool or the Google Cloud Console.

gcloud container clusters update CLUSTER_NAME \
  --zone ZONE \
  --disable-database-encryption \
  --project CLUSTER_PROJECT_ID

Verifying that Application-layer Secrets Encryption is enabled

You can check to see whether a cluster is using Application-layer Secrets Encryption using the Google Cloud Console or the gcloud command.

gcloud container clusters describe CLUSTER_NAME \
  --zone ZONE \
  --format 'value(databaseEncryption)' \
  --project CLUSTER_PROJECT_ID

keyName=projects/project/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME;state=ENCRYPTED

Limitations

Number of secrets

GKE supports up to 10,000 secrets per cluster for application-layer secrets encryption. If you store more secrets than 10,000, your cluster might become unstable at upgrade time, causing a potential outage for your workloads.

Key location

You must select a key in the same region as the cluster that it is being used in. For example, a zonal cluster in us-central1-a can only use a key in the region us-central1. For regional clusters, keys must be in the same location to decrease latency and to prevent cases where resources depend on services spread across multiple failure domains.

Key rotation

When you perform a key rotation, your existing secrets remain encrypted with the previous key encryption key (KEK). To ensure a newer KEK wraps a Secret, create a new Secret after key rotation.

For example, you create and store a Secret, Secret1. It is encrypted with DEK1, which itself is wrapped with KEKv1. Before KEKv1 rotates, you create another secret, Secret2. Secret2 gets its own key, DEK2. KEKv1 is used again to encrypt the DEK.

After the KEK rotates, we create another secret, Secret3, which gets encrypted with DEK3. DEK3 is in turn encrypted with KEKv2, the rotated KEK.

For instructions on how to manually rotate the KEKs that encrypt your Secrets, see Re-encrypting your secrets.

Re-encrypting your secrets

There is no way to force automatic re-encryption of your Secrets. If desired, you can manually rotate your KEK by creating a new key version:

gcloud kms keys versions create --location LOCATION \
   --keyring RING_NAME \
   --key KEY_NAME \
   --primary \
   --project KEY_PROJECT_ID

Replace the following:

• LOCATION: the Cloud KMS location where you created your key ring.
• RING_NAME: the name of your key ring.
• KEY_NAME: the name of your key.
• KEY_PROJECT_ID: your key project ID.

Then force GKE to re-encrypt by touching every Secret:

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - encryption-key-rotation-time="TIME"

Replace TIME with a string indicating when the rotation happens (for example, 20200909-090909).

EncryptionConfig

At this time, only keys from Cloud KMS are supported in GKE. You cannot use another Kubernetes KMS provider or another encryption provider.

What's next

• Learn more about Secrets in Kubernetes.
• Learn more about Secret management using Cloud KMS.
• Learn how to harden your cluster.