Skip to content

Commit

Permalink
Merge pull request #12128 from spzala/automated-cherry-pick-of-#12012…
Browse files Browse the repository at this point in the history 
…-upstream-release-3.3

Automated cherry pick of #12012
  • Loading branch information
@spzala
spzala committed Jul 13, 2020
2 parents bfc2267 + 604be01 commit b16bfbe
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Documentation/op-guide/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -426,8 +426,14 @@ Make sure to sign the certificates with a Subject Name the member's public IP ad

The certificate needs to be signed for the member's FQDN in its Subject Name, use Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can make [it][alt-name] too.

### Does etcd encrypt data stored on disk drives?
No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options:
* Let client applications encrypt and decrypt the data
* Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]

[cfssl]: https://github.com/cloudflare/cfssl
[tls-setup]: ../../hack/tls-setup
[tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
[alt-name]: http://wiki.cacert.org/FAQ/subjectAltName
[auth]: authentication.md
[dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt

0 comments on commit b16bfbe

Please sign in to comment.