encryptionkuberneteskubernetes-security

How to encrypt actual storage/volume being used by Kubernetes pods using client managed keys(least/zero knowledge of keys on the provider side)?

I want to have a per client namespace and storage in my kubernetes environment where a dedicated instance of app runs per client and only client should be able to encrypt/decrypt the storage being used by that particular client's app. I have seen hundreds of examples on secrets encryption in kubernetes environment but struggling to achieve actual storage encryption that is controlled by the client. is it possible to have a storage encryption in K8s environment where only client has the knowledge of encryption keys (and not the k8s admin) ?

Solution

  • The only thing that comes to my mind as suggested already in the comment is hashicorp vault.

    Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

    Some of the features that you might to check out:

    1. API driven interface
      You can access all of its features programatically due to HTTP API. In addition, there are several officially supported libraries for programming languages (Go and Ruby). These libraries make the interaction with the Vault’s API even more convenient. There is also a command-line interface available.
    2. Data Encryption
      Vault is capable of encrypting/decrypting data without storing it. The main implication from this is if an intrusion occurs, the hacker will not have access to real secrets even if the attack is successful.
    3. Dynamic Secrets
      Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up. This means that the secret does not exist until it is read.
    4. Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
    5. Convenient Authentication
      Vault supports authentication using tokens, which is convenient and secure.

    Vault can also be customized and connected to various plugins to extend its functionality. This all can be controlled from web graphical interface.