k3s secrets-encrypt

K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.

Secrets Encryption Tool

secrets-encrypt - 图1Version Gate

Available as of v1.21.8+k3s1

K3s contains a CLI tool secrets-encrypt, which enables automatic control over the following:

  • Disabling/Enabling secrets encryption
  • Adding new encryption keys
  • Rotating and deleting encryption keys
  • Reencrypting secrets

secrets-encrypt - 图2warning

Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution.

New Encryption Key Rotation (Experimental)

secrets-encrypt - 图3Version Gate

Available as of v1.28.1+k3s1. This new version of the tool utilized K8s automatic config reloading which is currently in beta. GA is expected in v1.29.0

For older releases, see Encryption Key Rotation Classic

  • Single-Server
  • High-Availability

To rotate secrets encryption keys on a single-server cluster:

  1. Start the K3s server with the flag --secrets-encryption

    secrets-encrypt - 图4note

    Starting K3s without encryption and enabling it at a later time is currently not supported.

  2. Rotate secrets encryption keys

    1. k3s secrets-encrypt rotate-keys
  3. Wait for reencryption to finish. Watch the server logs, or wait for:

    1. $ k3s secrets-encrypt status
    2. Encryption Status: Enabled
    3. Current Rotation Stage: reencrypt_finished

To rotate secrets encryption keys on HA setups:

  1. Start up all three K3s servers with the --secrets-encryption flag. For brevity, the servers will be referred to as S1, S2, S3.

    secrets-encrypt - 图5note

    Starting K3s without encryption and enabling it at a later time is currently not supported.

  2. Rotate secrets encryption keys on S1

    1. k3s secrets-encrypt rotate-keys
  3. Wait for reencryption to finish. Watch the server logs, or wait for:

    1. $ k3s secrets-encrypt status
    2. Encryption Status: Enabled
    3. Current Rotation Stage: reencrypt_finished

    secrets-encrypt - 图6info

    K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs.

  4. Restart K3s on S1 with same arguments. If running K3s as a service:

    1. # If using systemd
    2. systemctl restart k3s
    3. # If using openrc
    4. rc-service k3s restart
  5. Once S1 is up, restart K3s on S2 and S3

Encryption Key Rotation Classic

  • Single-Server
  • High-Availability

To rotate secrets encryption keys on a single-server cluster:

  1. Start the K3s server with the flag --secrets-encryption

    secrets-encrypt - 图7note

    Starting K3s without encryption and enabling it at a later time is currently not supported.

  2. Prepare

    1. k3s secrets-encrypt prepare
  3. Kill and restart the K3s server with same arguments. If running K3s as a service:

    1. # If using systemd
    2. systemctl restart k3s
    3. # If using openrc
    4. rc-service k3s restart
  4. Rotate

    1. k3s secrets-encrypt rotate
  5. Kill and restart the K3s server with same arguments

  6. Reencrypt

    secrets-encrypt - 图8info

    K3s will reencrypt ~5 secrets per second.
    Clusters with large # of secrets can take several minutes to reencrypt.

    1. k3s secrets-encrypt reencrypt

The steps are the same for both embedded DB and external DB clusters.

To rotate secrets encryption keys on HA setups:

  1. Start up all three K3s servers with the --secrets-encryption flag. For brevity, the servers will be referred to as S1, S2, S3.

    secrets-encrypt - 图9Notes

    • Starting K3s without encryption and enabling it at a later time is currently not supported.
    • While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands.
  2. Prepare on S1

    1. k3s secrets-encrypt prepare
  3. Kill and restart S1 with same arguments. If running K3s as a service:

    1. # If using systemd
    2. systemctl restart k3s
    3. # If using openrc
    4. rc-service k3s restart
  4. Once S1 is up, kill and restart the S2 and S3

  5. Rotate on S1

    1. k3s secrets-encrypt rotate
  6. Kill and restart S1 with same arguments

  7. Once S1 is up, kill and restart the S2 and S3

  8. Reencrypt on S1

    secrets-encrypt - 图10info

    K3s will reencrypt ~5 secrets per second.
    Clusters with large # of secrets can take several minutes to reencrypt.

    1. k3s secrets-encrypt reencrypt
  9. Kill and restart S1 with same arguments

  10. Once S1 is up, kill and restart the S2 and S3

Secrets Encryption Disable/Re-enable

  • Single-Server
  • High-Availability

After launching a server with --secrets-encryption flag, secrets encryption can be disabled.

To disable secrets encryption on a single-node cluster:

  1. Disable

    1. k3s secrets-encrypt disable
  2. Kill and restart the K3s server with same arguments. If running K3s as a service:

    1. # If using systemd
    2. systemctl restart k3s
    3. # If using openrc
    4. rc-service k3s restart
  3. Reencrypt with flags

    1. k3s secrets-encrypt reencrypt --force --skip

To re-enable secrets encryption on a single node cluster:

  1. Enable

    1. k3s secrets-encrypt enable
  2. Kill and restart the K3s server with same arguments

  3. Reencrypt with flags

    1. k3s secrets-encrypt reencrypt --force --skip

After launching a HA cluster with --secrets-encryption flags, secrets encryption can be disabled.

secrets-encrypt - 图11note

While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands.

For brevity, the three servers used in this guide will be referred to as S1, S2, S3.

To disable secrets encryption on a HA cluster:

  1. Disable on S1

    1. k3s secrets-encrypt disable
  2. Kill and restart S1 with same arguments. If running K3s as a service:

    1. # If using systemd
    2. systemctl restart k3s
    3. # If using openrc
    4. rc-service k3s restart
  3. Once S1 is up, kill and restart the S2 and S3

  4. Reencrypt with flags on S1

    1. k3s secrets-encrypt reencrypt --force --skip

To re-enable secrets encryption on a HA cluster:

  1. Enable on S1

    1. k3s secrets-encrypt enable
  2. Kill and restart S1 with same arguments

  3. Once S1 is up, kill and restart the S2 and S3

  4. Reencrypt with flags on S1

    1. k3s secrets-encrypt reencrypt --force --skip

Secrets Encryption Status

The secrets-encrypt tool includes a status command that displays information about the current status of secrets encryption on the node.

An example of the command on a single-server node:

  1. $ k3s secrets-encrypt status
  2. Encryption Status: Enabled
  3. Current Rotation Stage: start
  4. Server Encryption Hashes: All hashes match
  5. Active Key Type Name
  6. ------ -------- ----
  7. * AES-CBC aescbckey

Another example on HA cluster, after rotating the keys, but before restarting the servers:

  1. $ k3s secrets-encrypt status
  2. Encryption Status: Enabled
  3. Current Rotation Stage: rotate
  4. Server Encryption Hashes: hash does not match between node-1 and node-2
  5. Active Key Type Name
  6. ------ -------- ----
  7. * AES-CBC aescbckey-2021-12-10T22:54:38Z
  8. AES-CBC aescbckey

Details on each section are as follows:

  • Encryption Status: Displayed whether secrets encryption is disabled or enabled on the node
  • Current Rotation Stage: Indicates the current rotation stage on the node.
    Stages are: start, prepare, rotate, reencrypt_request, reencrypt_active, reencrypt_finished
  • Server Encryption Hashes: Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration.
  • Key Table: Summarizes information about the secrets encryption keys found on the node.
    • Active: The “*“ indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.
    • Key Type: All keys using this tool are AES-CBC type. See more info here.
    • Name: Name of the encryption key.