Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Managed Service for Kubernetes
  • Comparison with other Yandex Cloud services
  • Getting started
    • Resource relationships
    • Release channels and updates
    • Encryption
    • Networking in Managed Service for Kubernetes
    • Network settings and cluster policies
    • Automatic scaling
    • Audit policy
    • External cluster nodes
    • Quotas and limits
    • Managed Service for Kubernetes usage recommendations
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Encrypting Kubernetes secrets
  • Use cases
  • See also
  1. Concepts
  2. Encryption

Encryption in Managed Service for Kubernetes

Written by
Yandex Cloud
Updated at May 5, 2025
  • Encrypting Kubernetes secrets
  • Use cases
  • See also

Yandex Cloud adopts many information security measures. They include multi-level encryption of Managed Service for Kubernetes data:

  • Data is encrypted using system keys when it is placed in a Yandex Cloud storage. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers.
  • Data is encrypted when transmitted over the network using the TLS protocol. The keys used for TLS are stored on hosts running the protocol. This ensures that the data is protected against interception.

The following cryptographic algorithms are used:

  • Symmetric: AES, ChaCha.
  • Asymmetric: RSA, Ed25519.

The minimum used key length is 128 bits for symmetric encryption algorithms, and 2048 bits for asymmetric encryption algorithms.

Yandex Cloud provides management for these keys.

You can also encrypt Kubernetes secrets using a symmetric encryption key stored in Yandex Key Management Service.

Such key is managed on the user side, which provides additional opportunities:

  • Auditing events related to the key usage with Yandex Audit Trails.

  • Tracking operations with keys using Yandex Monitoring.

  • Operations with keys, such as rotation, modification, deactivation, and deletion.

  • Granular management of access permissions to the key at the level of individual Yandex Cloud accounts.

  • Using the hardware security module (HSM) when needed.

    Note

    In Managed Service for Kubernetes, a Yandex Cloud service account is called a cloud service account to avoid confusion with a Kubernetes service account.

Encrypting Kubernetes secretsEncrypting Kubernetes secrets

A Kubernetes secret is private information the Kubernetes clusters use when managing pods, e.g., OAuth keys, passwords, SSH keys, etc.

By default, cluster secrets are stored in an open format. If you specified an encryption key when creating a Managed Service for Kubernetes cluster, the cluster secrets will be encrypted.

Warning

You can specify an encryption key only when creating a cluster.

If you need to use another key, create a new cluster with that key.

The encryption process of an individual secret runs as follows:

  1. Kubernetes encrypts the secret using the KMS provider.

  2. During the encryption process, the KMS provider accesses the KMS plugin that enables using the encryption key you have specified when creating the cluster:

    This encryption key is not used to encrypt secrets directly. Instead, the envelope encryption algorithm involving the key is used.

    For a general description of the algorithm, see Envelope encryption.

  3. During the encryption process, the KMS plugin works with Yandex Key Management Service where the encryption key is stored.

    This plugin as well as the provider using it are already installed in the Managed Service for Kubernetes cluster and properly configured.

Secrets are decrypted in a similar way.

Use casesUse cases

  • Encrypting secrets in Managed Service for Kubernetes

  • Installing an NGINX Ingress controller with a Yandex Certificate Manager certificate

  • Syncing with Yandex Lockbox secrets

See alsoSee also

  • Installing HashiCorp Vault with Key Management Service support
  • Using HashiCorp Vault to store secrets
  • Encrypting secrets in Managed Service for Kubernetes
  • Installing the External Secrets Operator with Yandex Lockbox support
  • Syncing with Yandex Lockbox secrets

Was the article helpful?

Previous
Release channels and updates
Next
Volume
© 2025 Direct Cursus Technology L.L.C.