Configuring Secrets encryption

Overview

By default, RKE2 enables Secrets encryption at rest with aescbc provider and generates private key automatically. Reference

Customizing Encryption provider

To configure different provider (aescbc or secretbox) or specify encryption key explicitly, configure spec.serverConfig.secretsEncryption block.

Example:

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: RKE2ControlPlane
metadata:
  name: my-cluster-control-plane
spec:
  serverConfig:
    secretsEncryption:
      provider: "secretbox"
      encryptionKeySecret:
        name: encryption-key
        namespace: example

Encryption secret format

When configuring the encryptionKeySecret field, ensure the secret contains the following keys:

encryptionKey - base64 decoded value of the encryption key

Kubernetes Cluster API Provider RKE2

Configuring Secrets encryption

Overview

Customizing Encryption provider

Encryption secret format