Encryption in Managed Service for Kubernetes

Yandex Cloud adopts many information security measures. They include multi-level encryption of Managed Service for Kubernetes data:

• Data is encrypted using system keys when it is placed in a Yandex Cloud storage. This protects your data from compromise in the event of physical disk theft from Yandex Cloud data centers.
• Data is encrypted when transmitted over the network using the TLS protocol. The keys used for TLS are stored on hosts running the protocol. This ensures that the data is protected against interception.

The following cryptographic algorithms are used:

• Symmetric: AES, ChaCha.
• Asymmetric: RSA, Ed25519.

The minimum used key length is 128 bits for symmetric encryption algorithms, and 2048 bits for asymmetric encryption algorithms.

Yandex Cloud provides management for these keys.

You can also encrypt Kubernetes secrets using a symmetric encryption key stored in Yandex Key Management Service.

Such key is managed on the user side, which provides additional opportunities:

• Auditing events related to the key usage with Yandex Audit Trails.

• Tracking operations with keys using Yandex Monitoring.

• Operations with keys, such as rotation, modification, deactivation, and deletion.

• Granular management of access permissions to the key at the level of individual Yandex Cloud accounts.

• Using the hardware security module (HSM) when needed.

  Note

  In Managed Service for Kubernetes, a Yandex Cloud service account is called a cloud service account to avoid confusion with a Kubernetes service account.

Encrypting Kubernetes secretsEncrypting Kubernetes secrets

A Kubernetes secret is confidential information used by Kubernetes clusters when managing pods, e.g., OAuth keys, passwords, SSH keys, etc.

By default, cluster secrets are stored in an open format. If you specified an encryption key when creating a Managed Service for Kubernetes cluster, the cluster secrets will be encrypted.

The encryption process of an individual secret runs as follows:

1. Kubernetes encrypts the secret using the KMS provider.

2. During the encryption process, the KMS provider accesses the KMS plugin that enables using the encryption key you have specified when creating the cluster:

   This encryption key is not used to encrypt secrets directly. Instead, the envelope encryption algorithm involving the key is used.

   For a general description of the algorithm, see Envelope encryption.

3. During the encryption process, the KMS plugin works with Yandex Key Management Service where the encryption key is stored.

   This plugin as well as the provider using it are already installed in the Managed Service for Kubernetes cluster and properly configured.

Secrets are decrypted in a similar way.

See alsoSee also

• Installing HashiCorp Vault with Key Management Service support
• Using HashiCorp Vault for storing secrets
• Encrypting secrets in Yandex Managed Service for Kubernetes
• Installing the External Secrets Operator with Yandex Lockbox support
• Syncing with Yandex Lockbox secrets