Encrypting Secrets in Amazon EKS

In this talk, Paavan Mistry explains how to encrypt Kubernetes secrets at rest in etcd on Amazon EKS. By default, Kubernetes stores secrets only base64-encoded - not encrypted - so anyone who gains access to the API server or to etcd can read them in the clear. The talk shows how to use AWS KMS envelope encryption to protect secrets at rest, which is an easy win for anyone running EKS in production.

• Kubernetes
• AWS
• Security