How to make the kubernetes pods unable to decrypt the kubernetes secrets without a key?

Question

The end goal I'm trying to achieve is to create a kubernetes secret (potentially with a key) and a pod which uses that. But the catch is, the pod created should not be able to decode/decrypt the secret value without a particular key. I have tried the secrets with data encryption at rest but that's not sufficient for my requirement.

What does "a pod which uses that" mean? that question does not sound like how cryptography works — mdaniel, Feb 20 '21 at 05:47

Kiran · Accepted Answer · 2021-02-22T19:20:59.290

2

Edit: I am trying to making this as step by step solution. (as asked by @Dawid in comments)

Encrypt your data using your-key (your encryption-logic, probably, in a script).

./encrypt.sh --key your-key --data your-data

Create a secret of this encrypted data

kubectl create secret generic your-secret-name --from-literal=secretdata=your-encrypted-data

You could add decryption logic like this in your pod ( either as a sidecar or initContainer)

# decrypt.sh will decode base64 then your decryption logic using your-key
./decrypt.sh --key your-key --data /var/my-secrets

Also you need to mount this secret as volume to your container .

    spec:
      containers:
      - image: "image"
        name: app
        ...
        volumeMounts:
          - mountPath: "/var/my-secrets"
            name: my-secret
      volumes:
        - name: my-secret
          secret:
            secretName: your-secret-name

edited Feb 22 '21 at 19:20

answered Feb 20 '21 at 17:52

Kiran

311
3
5

Tried both the approach of the secret volumes and as environment variables, but those will be encoded as base64 and any one who have access to pod can access the secret in plain text. – Preetham Feb 21 '21 at 17:00
2

you could try this step. 1. encrypt data using your key . 2. create secret of that new data. 3. in your decryption logic, first decrypt base64, then decrypt using your key – Kiran Feb 21 '21 at 17:03
1

Thanks for the pathway, using the OpenSSL was able to achieve the task I wanted. – Preetham Feb 22 '21 at 11:56
Hello, as you've pointed the comment that lead to solution, could you please edit your existing answer to include it in there? @Preetham, I'm glad that you've managed to solve your issue, please consider creating your own answer with the steps that you've taken to solve your question. – Dawid Kruk Feb 22 '21 at 16:49

score 1 · Answer 2 · answered Feb 24 '21 at 07:04

As answered by @Kiran here are the steps I followed to obtain the solution.

Encrypt using the openssl

echo -n "preetham" | openssl enc -e -aes-256-cbc -a -salt -pass pass:<PASSWORD>

Created the secret from the YAML file. preetham-secrets-test.yaml

apiVersion: v1
kind: Secret
metadata:
  name: preetham-secrets
type: Opaque
stringData: # Using stringData instead data
  username: U2FsdGVkX18VsbQaVpeqrCCJCDEd3LCbefT6nupChvw=  # output from the step 1

Create the secret

kubectl apply -f preetham-secrets-test.yaml -n <NAMESPACE>
Mount the secret to volume and exec into the pod. Kubernetes reference

Inside the pod assuming the secret is mounted to /opt/mnt/secrets/.

bash-4.2# cat /opt/mnt/secrets/username

U2FsdGVkX18VsbQaVpeqrCCJCDEd3LCbefT6nupChvw=bash-4.2#

Decrypt the same using the openssl.( you may have to install the openssl based on the image using

bash-4.2# echo "U2FsdGVkX18VsbQaVpeqrCCJCDEd3LCbefT6nupChvw=" | openssl enc -d -aes-256-cbc -a -salt -pass pass:<PASSWORD>

preethambash-4.2#

How to make the kubernetes pods unable to decrypt the kubernetes secrets without a key?

2 Answers2