Secret 加密配置

K3s 支持启用静态加密。首次启动 server 时,传递标志 --secrets-encryption 将自动执行以下操作:

  • 生成 AES-CBC 密钥

  • 使用密钥生成加密配置文件

  • 将配置作为 encryption-provider-config 传递给 KubeAPI

如果不重新启动现有 server,则无法在其上启用 Secret 加密。
如果使用脚本或配置选项中描述的其他方法进行安装,请使用 curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption

Choosing Encryption Provider

Version Gate

Available as of the April 2025 releases: v1.30.12+k3s1, v1.31.8+k3s1, v1.32.4+k3s1, v1.33.0+k3s1.

Using the --secrets-encryption-provider flag, you can choose from the following K3s-supported encryption providers:

  • aescbc: AES-CBC with PKCS#7 padding. This is the default provider.

  • secretbox: XSalsa20 and Poly1305

Migrating Providers

You can migrate from the aescbc provider to the secretbox provider by following these steps:

  1. Ensure that the secretbox provider is supported by your K3s version.

  2. Update/Add the secrets-encryption-provider flag in your K3s configuration file to secretbox.

  3. Rotate the encryption keys, following the Encryption Key Rotation section below.

Generated encryption config file

When you start the server with --secrets-encryption, K3s will generate an encryption config file at /var/lib/rancher/k3s/server/cred/encryption-config.json.

Below is an example of the generated encryption config file with the default aescbc provider:

{
  "kind": "EncryptionConfiguration",
  "apiVersion": "apiserver.config.k8s.io/v1",
  "resources": [
    {
      "resources": [
        "secrets"
      ],
      "providers": [
        {
          "aescbc": {
            "keys": [
              {
                "name": "aescbckey",
                "secret": "xxxxxxxxxxxxxxxxxxx"
              }
            ]
          }
        },
        {
          "identity": {}
        }
      ]
    }
  ]
}

Secret 加密工具

K3s 包含一个实用工具 secrets-encrypt,可以自动控制以下内容:

  • 禁用/启用 Secret 加密

  • 添加新的加密密钥

  • 轮换和删除加密密钥

  • 重新加密 Secret

有关详细信息,请参阅 k3s secrets-encrypt 命令文档