Enabling passive encryption

You can enable passive encryption by providing keys and encrypting data using the EncryptionConfig file and the kube-apiserver command. You can do this before or after installing GuardiumĀ® Insights.


  1. Determine the keys to be used and then add them to the EncryptionConfig file.
  2. Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the EncryptionConfig file.
  3. Restart the API server.
  4. Secrets will be encrypted the next time etcd is written to. To have the encryption take effect, run this command:
    kubectl get secrets --all-namespaces -o json | kubectl replace -f -

    This will get all secrets and update them to be encrypted.

    Note: It is highly recommended that, along with the EncryptionConfig file, a kms provider is used.

What to do next

For more information about enabling passive encryption, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/.