# Generating the Data Encryption Config and Key

Kubernetes stores a variety of data including cluster state, application configurations, and secrets. Kubernetes supports the ability to [encrypt](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data) cluster data at rest.

In this chapter, you will generate an encryption key and an [encryption config](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration) suitable for encrypting Kubernetes Secrets.

**All procedures in this chapter should be done in `client-1`.**


## The Encryption Key

Generate an encryption key:

```
$ ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
```

## The Encryption Config File

Create the `encryption-config.yaml` encryption config file:

```
$ cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}
EOF
```

Copy the `encryption-config.yaml` encryption config file to each controller node:

```
$ USERNAME=<User Name of Virtual Machines>
$ for num in 1 2 3; do
  scp -i ~/.ssh/id_rsa-k8s.pub encryption-config.yaml ${USERNAME}@10.240.0.1${num}:~/
done
```

Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)