Skip to main content

Generating a Data Encryption Config for Kubernetes

Hands-On Lab

 

Photo of Will Boyd

Will Boyd

DevOps Team Lead in Content

Length

01:00:00

Difficulty

Intermediate

Kubernetes offers the ability to encrypt sensitive data at rest. In order to take advantage of this feature, it is necessary to generate an encryption key and a data encryption config. In this learning activity, you will learn how to generate an encryption key and a data encryption config file for Kubernetes.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Generating a Data Encryption Config for Kubernetes

Introduction

Kubernetes offers the ability to encrypt sensitive data at rest. In order to take advantage of this feature, it is necessary to generate an encryption key and a data encryption config. In this hands-on lab, you will learn how to generate an encryption key and a data encryption config file for Kubernetes.

Log In to the Environment

We'll start by logging in to the Workspace server.

  1. Navigate to the lab instructions page, and copy the public IP address for the Workspace server to your clipboard.
  2. Open your terminal application and run the following command (remember to replace the placeholder with the actual public IP address of the Workspace server):
    ssh cloud_user@<PUBLIC_IP_ADDRESS>
  3. Type yes at the prompt.
  4. Enter your password from the lab instructions page when prompted.

We are now successfully logged in to the environment.

Generate an Encryption Key and Include It in a Kubernetes Data Encryption Config File

The first step is to create an encryption key. We will also set it to an environment variable so we can include the encryption key in our config file.

  1. Run the following command to generate the random string we'll use for our encryption key:
    ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
  2. Use the echo command to view the random string we just generated.
    echo $ENCRYPTION_KEY
  3. Then, use the following command to generate our config file:
    cat > encryption-config.yaml << EOF
    kind: EncryptionConfig
    apiVersion: v1
    resources:
    - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}
    EOF

Copy the File to the Kubernetes Controller Servers

The next step is to copy encryption-config.yaml to each Kubernetes controller server.

  1. Go back to the lab instructions page, and copy the public IP address for Controller 0.
  2. Then run the following command (be sure to replace the placeholder with the actual IP address of Controller 0):
    scp encryption-config.yaml cloud_user@<CONTROLLER0_PUBLIC_IP>:~/
  3. Type yes at the prompt.
  4. Enter your password when prompted.
  5. Then, run the following command to copy the encryption config file to the Controller 1 server (be sure to replace the placeholder with the actual IP address of Controller 1:
    scp encryption-config.yaml cloud_user@<CONTROLLER1_PUBLIC_IP>:~/
  6. Type yes at the prompt.
  7. Enter your password when prompted.

Conclusion

Congratulations, you've successfully completed this lab!