1

I have a toy Kubernetes cluster with Encryption at rest enabled using the abs-256-cbc provider; I have not used any vault here for kms simulating the problem. This means the encryption key is in a plain text file on the master node.

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: c2VjcmV0IGlzIHNlY3VyZQ==
      - identity: {}

Assuming the encryption key c2VjcmV0IGlzIHNlY3VyZQ== is leaked, is there any chance to decrypt the secrets stored in the etcd?

Example:

Secret creation:

k create secret generic secret1-no-encryption --from-literal foo="admin@123"
secret/secret1-no-encryption created

Reading the secret from etcd when its NOT encrypted:

sudo ETCDCTL_API=3 etcdctl --endpoints https://192.168.122.191:2379 --cert=/etc/ssl/etcd/ssl/node-test-kube-controller-1.pem --key=/etc/ssl/etcd/ssl/node-test-kube-controller-1-key.pem --cacert=/etc/ssl/etcd/ssl/ca.pem get /registry/secrets/default/secret1-no-encryption
/registry/secrets/default/secret1-no-encryption
k8s

v1Secret▒
▒
secret1-no-encryptiondefault"*$3d45ddaa-2e34-4605-92d2-ad2ad31592692▒▒▒▒`
kubectl-createUpdatev▒▒▒FieldsV1:,
*{"f:data":{".":{},"f:foo":{}},"f:type":{}}B
foo     admin@123Opaque"

Attempt to read secret when the etcd is encrypted:

sudo ETCDCTL_API=3 etcdctl --endpoints https://192.168.122.191:2379 --cert=/etc/ssl/etcd/ssl/node-test-kube-controller-1.pem --key=/etc/ssl/etcd/ssl/node-test-kube-controller-1-key.pem --cacert=/etc/ssl/etcd/ssl/ca.pem get /registry/secrets/default/secret2-with-encryption
/registry/secrets/default/secret2-with-encryption
k8s:enc:aescbc:v1:key1:n%-▒▒▒▒▒Ԩ▒qB▒x'V▒F▒y`l▒_X▒n
                                                  8#EEg▒!▒▒Mnk▒S▒▒KQ▒▒F▒NyJ▒$▒J▒▒Q`▒3m▒▒_▒▒U▒!7ZP▒bm▒x▒▒▒\▒{▒)e▒4▒Q-L▒#▒▒▒ձ▒<8▒▒ndd}Ҏ▒|1k▒▒>▒▒▒J▒R▒.▒▒c▒mɹ▒Q▒D▒▒Z▒▒H▒4▒~.▒F▒▒j▒▒C▒י%▒▒8▒▒▒8▒ޥE`Kp;▒%▒▒/e▒▒▒▒{.m▒c͍.˻▒▒1▒▒▒ݑ=u▒{▒▒~▒KP▒▒v7ϋ'▒{d]#
                     +▒<M

Question:

Is knowledge of the encryption key enough to decrypt the etcd contents? if just the encryption key is not enough to decrypt the content(perhaps IV is required), why bother using KMS(except key rotation)? Is there any way IV can also be leaked?

Is it authoritatively safe to say just the key leak could not cause the decryption of the etcd contents?

P....
  • 111
  • 2
  • The encryption key leak will not cause the decryption of the "etcd" contents directly as it has many security layers but it will act as a tool which can cause a data breach and spread malware. – Kiran Kotturi Mar 02 '23 at 11:56
  • "_Is it authoritatively safe to say just the key leak could not cause the decryption of the `etcd` contents?_" someone would also need the database entries and be able to decrypt them like in [How can I encrypt / decrypt AES-256 CBC with OpenSSL?](https://superuser.com/a/1361462/754490) or [How to use OpenSSL to encrypt/decrypt files?](https://stackoverflow.com/a/16056298/6771046). – U880D Aug 26 '23 at 06:24

0 Answers0