Etcd Volume Encryption

You must configure etcd volume encryption before bringing up your cluster. You cannot add etcd volume encryption to an already running cluster.

Encrypting Etcd Volumes Using the Default AWS KMS Key

Edit your cluster to add encryptedVolume: true to each etcd volume:

kops edit cluster ${CLUSTER_NAME}

  1. ...
  2. etcdClusters:
  3. - etcdMembers:
  4.   - instanceGroup: master-us-east-1a
  5.     name: a
  6.     encryptedVolume: true
  7.   name: main
  8. - etcdMembers:
  9.   - instanceGroup: master-us-east-1a
  10.     name: a
  11.     encryptedVolume: true
  12.   name: events    
  13. ...

Update your cluster:

  1. kops update cluster ${CLUSTER_NAME}
  2. # Review changes before applying
  3. kops update cluster ${CLUSTER_NAME} --yes

Encrypting Etcd Volumes Using a Custom AWS KMS Key

Edit your cluster to add encryptedVolume: true to each etcd volume:

kops edit cluster ${CLUSTER_NAME}

  1. ...
  2. etcdClusters:
  3. - etcdMembers:
  4.   - instanceGroup: master-us-east-1a
  5.     name: a
  6.     encryptedVolume: true
  7.     kmsKeyId: <full-arn-of-your-kms-key>
  8.   name: main
  9. - etcdMembers:
  10.   - instanceGroup: master-us-east-1a
  11.     name: a
  12.     encryptedVolume: true
  13.     kmsKeyId: <full-arn-of-your-kms-key>
  14.   name: events    
  15. ...

Update your cluster:

  1. kops update cluster ${CLUSTER_NAME}
  2. # Review changes before applying
  3. kops update cluster ${CLUSTER_NAME} --yes