2

In case of cloud managed kubernetes, whether AWS EKS, Azure AKS or Google GKE, the option to use customer managed key always comes at the cost of storing the customer master key in the cloud provider's own vault/KMS (e.g. aws kms or azure vault). In this case the cloud provider still has access to customer encryption key (or at least it resides in the cloud environment).

What would be an ideal implementation for deploying the application in k8s environment and encrypting the storage with customer provided key but the knowledge of the keys should only be at customer side i.e. not stored anywhere inside the cloud provider due to privacy concerns?

devcloud
  • 391
  • 5
  • 18
  • If the cloud provider can't have the secret, and the cluster can't have the secret, how does the pod get it? What storage do you specifically want to be encrypted? – David Maze Jul 29 '20 at 13:39
  • @DavidMaze Thank you for the reply. I want to have a dedicated app instance per client so that each of my client company will also have a separate storage. In such a scenario, only the client should be able to encrypt/decrypt the storage being used by his specific app. What would be an optimal solution of deploying this such that i have the kubernetes admin control but the keys are provided by the customer? – devcloud Jul 29 '20 at 13:42
  • @DavidMaze Or what would be the optimal implementation such that I have as less knowledge about the keys as possible and client has the most info? something close to a zero knowledge encryption – devcloud Jul 29 '20 at 14:07

1 Answers1

1

You could use a 3rd party kubernetes storage provider like portworx that will take you across clusters and keep data encrypted. https://docs.portworx.com/portworx-install-with-kubernetes/storage-operations/create-pvcs/create-encrypted-pvcs/

Illusionist
  • 5,204
  • 11
  • 46
  • 76
  • so this means portworx would allow to use client managed keys for encrypting/decrypting the storage used by the client app inside my k8s cluster? – devcloud Jul 29 '20 at 13:46
  • I think so - please confirm , you can just ask their solutions engineer and they will demo it for you – Illusionist Jul 30 '20 at 14:36