kubernetes-the-hard-way/docs/06-data-encryption-keys.md

# Generating the Data Encryption Config and Key

Kubernetes stores a variety of data including cluster state, application
configurations, and secrets. Kubernetes supports the ability to [encrypt]
cluster data at rest.

In this lab you will generate an encryption key and an [encryption config]
suitable for encrypting Kubernetes Secrets.

## The Encryption Key

Generate an encryption key:

```bash
export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
```

## The Encryption Config File

Create the `encryption-config.yaml` encryption config file:

```bash
envsubst < configs/encryption-config.yaml \
  > encryption-config.yaml
```

Copy the `encryption-config.yaml` encryption config file to each controller
instance:

```bash
scp encryption-config.yaml vagrant@controlplane:~/
```

Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)

---

[encrypt]: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data
[encryption config]: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration
update docs 2017-08-29 00:19:25 +03:00			`# Generating the Data Encryption Config and Key`

chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			`Kubernetes stores a variety of data including cluster state, application`
			`configurations, and secrets. Kubernetes supports the ability to [encrypt]`
			`cluster data at rest.`
update docs 2017-08-29 00:19:25 +03:00
chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			`In this lab you will generate an encryption key and an [encryption config]`
			`suitable for encrypting Kubernetes Secrets.`
update docs 2017-08-29 00:19:25 +03:00
			`## The Encryption Key`

			`Generate an encryption key:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
			`export ENCRYPTION_KEY=$(head -c 32 /dev/urandom \| base64)`
update docs 2017-08-29 00:19:25 +03:00			```

			`## The Encryption Config File`

			Create the `encryption-config.yaml` encryption config file:

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
			`envsubst < configs/encryption-config.yaml \`
			`> encryption-config.yaml`
update docs 2017-08-29 00:19:25 +03:00			```

chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			Copy the `encryption-config.yaml` encryption config file to each controller
			`instance:`
update docs 2017-08-29 00:19:25 +03:00
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`scp encryption-config.yaml vagrant@controlplane:~/`
update docs 2017-08-29 00:19:25 +03:00			```

			`Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)`
chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00
			`---`

			`[encrypt]: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data`
			`[encryption config]: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration`