Resources (not just secrets) in a Kubernetes cluster can be encrypted using an envelope encryption scheme with the DEK being encrypted with a KEK that is managed in Vault.

Add support for using Hashicorp Vault as a KMS provider to manage KEKs.

Would address several concerns discussed in the issues referenced:

• Reuse Vault already in use in an enterprise to additionall manage KEKs for K8S clusters.
• KEK is externalized and managed in the KMS provider, adding to the security of the overall deployment.
• Separate cluster mangement responsibilities from key management/administration, better reflecting Ops, SecOps separations.

Design Proposal. Discussed at sig-auth July 26.

Alpha release Target 1.8 ?

Relies on support added via PRs

• Add an AEAD encrypting transformer for storing secrets encrypted at rest #41939 for transformers
• Add envelope encryption transformer #49350 for envelope encryption transformers
• Config support added in Add configuration for encryption providers #46460 and Add Google cloud KMS service for envelope encryption transformer #48574

Roadmap

• A Plan for Kubernetes Secrets
• Encryption of secrets at the database layer community#607

Related Issues

• Encrypt secrets in etcd enhancements#92
• encrypt secrets when in etcd. #12742
• Allow use of encrypted secrets #28538
• Suggestion: Is it possible to get Kubernetes keep its Secrets in HashiCorp Vault #10439
• Add support for Google Cloud KMS as encryption provider for encryption at rest #48522

/kind feature

@kubernetes/sig-auth

/sig auth

/assign @vineet-garg