Enabling Disk Encryption
The scripts used in this guide are the same as those downloaded at the beginning of the cluster deployment pages for AWS and GCP.
Run the following command to enable AES 256 disk encryption for your cluster, from where the cluster VPC is accessible:
Caution: Enabling encryption will delete all existing data. It will then set up the cluster for encryption on disk and will automatically restart the cluster.
enable-disk-encryption
generates a master key and a data encryption key for you**.** The master key encrypts the data encryption key which encrypts the data on disk. If you'd like to provide your own master key via a key management system, please see the next section.
Bring Your Own Key (BYOK) Encryption
At the moment, this BYOK encryption is only supported for GKE clusters created in GCP and AKS clusters created in Azure.
Prerequisites for setting up encryption at rest
You must set up the following before setting up encryption at rest with a master key provided via Google Cloud KMS:
Key Ring in the same region as the cluster
Key to be used as master key, created in the above Key Ring
Service Account that has permissions to use kms-encryption/kms-decryption for the cluster.
At a minimum the Service Account should have the following roles: roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.viewer (see KMS Permissions and Roles)
To create a new cluster with encryption at rest
You can use the following command to create a brand new cluster with encryption at rest enabled:
To enable encryption at rest for a cluster that is already created
You can use the following command to enable encryption at rest. (Please note this step will remove all the existing data on the cluster)
Last updated