Secrets Encryption Config
K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:
-
Generate an AES-CBC key
-
Generate an encryption config file with the generated key
-
Pass the config to the KubeAPI as encryption-provider-config
|
Secrets-encryption cannot be enabled on an existing server without restarting it. |
Choosing Encryption Provider
|
Version Gate
Available as of the April 2025 releases: v1.30.12+k3s1, v1.31.8+k3s1, v1.32.4+k3s1, v1.33.0+k3s1. |
Using the --secrets-encryption-provider flag, you can choose from the following K3s-supported encryption providers:
-
aescbc: AES-CBC with PKCS#7 padding. This is the default provider. -
secretbox: XSalsa20 and Poly1305
Migrating Providers
You can migrate from the aescbc provider to the secretbox provider by following these steps:
-
Ensure that the
secretboxprovider is supported by your K3s version. -
Update/Add the
secrets-encryption-providerflag in your K3s configuration file tosecretbox. -
Rotate the encryption keys, following the Encryption Key Rotation section below.
Generated encryption config file
When you start the server with --secrets-encryption, K3s will generate an encryption config file at /var/lib/rancher/k3s/server/cred/encryption-config.json.
Below is an example of the generated encryption config file with the default aescbc provider:
{
"kind": "EncryptionConfiguration",
"apiVersion": "apiserver.config.k8s.io/v1",
"resources": [
{
"resources": [
"secrets"
],
"providers": [
{
"aescbc": {
"keys": [
{
"name": "aescbckey",
"secret": "xxxxxxxxxxxxxxxxxxx"
}
]
}
},
{
"identity": {}
}
]
}
]
}Secrets Encryption Tool
K3s contains a utility tool secrets-encrypt, which enables automatic control over the following:
-
Disabling/Enabling secrets encryption
-
Adding new encryption keys
-
Rotating and deleting encryption keys
-
Reencrypting secrets
For more information, see the k3s secrets-encrypt command documentation.