How secret encryption works on high level?

[giovannicandido]

Hi, how does the secret encryption at rest work? Where it store the keys?
I think the purpose of encrypting the secrets is to make it hard for someone in the cloud to get eyes on your information if someone with root access to the servers gets into it while it is shut down or restarted, or if the disk is rotated and reused by some other customer (cheap dedicated servers) the information is impossible to read.
Kubernetes secrets are just plain base64 encode so nothing special here. But what about this feature? How does it get and store its keys?
For example, Hashicorp Vault has well documented it and is dam secure, but if we get secrets from the vault and add them to Kubernetes the storage of these secrets will be performed in ETCD in plain text, so using encryption at the Kubernetes level is a must for security of secrets otherwise has no difference from a configmap.

I know that some cloud providers do this on a high-security degree, storing private keys in HSM and performing cryptography in memory only. Oracle Cloud has well-documented Kubernetes-managed services that do exactly this transparently.

It's very good to have an out-of-the-box solution but not documenting it, or not allowing the store of private keys to be pluggable makes me wonder about the level of security that this feature is bringing to the table.

Thanks.

[brandond]

It's very good to have an out-of-the-box solution but not documenting it, or not allowing the store of private keys to be pluggable makes me wonder about the level of security that this feature is bringing to the table.

At-rest encryption of Kubernetes resources is core Kubernetes functionality, not something custom to K3s. Because it is not something implemented in our project, we don't cover it in our docs. You can find the upstream docs here:
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/