You can encrypt the data stored in Elastic Compute Service (ECS) instances to ensure data privacy and autonomy. This topic describes how to encrypt disks that are provided by Alibaba Cloud.

Use specific keys stored in KMS to encrypt disk volumes

Data encryption is suitable for scenarios that require high security or have compliance requirements. Storage encryption helps you ensure the privacy and autonomy of the data that is stored in ECS instances without the need to maintain the underlying key management system. For more information, see Encrypt a disk volume.

This topic describes how to use a specific key stored in KMS to encrypt disk volumes when you create a cluster that uses the disk volumes.

  1. Create a StorageClass.
    1. Create a file named sc-kms.yaml and copy the following content to the file: 
      apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-disk
provisioner: diskplugin.csi.alibabacloud.com
parameters:
    fsType: ext4
    type: cloud_ssd
    encrypted: "true"
    kmsKeyId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
reclaimPolicy: Delete
    2. Run the following command to create a StorageClass: 
      kubectl create -f sc-kms.yaml
  2. Create a persistent volume claim (PVC).
    1. Create a file named sc-pvc.yaml and copy the following content to the file: 
      apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: csi-disk
    2. Run the following command to create a PVC: 
      kubectl create -f sc-pvc.yaml

Suggestions on disk encryption

  • Enable disk encryption

    You can use static keys to encrypt disks as a best practice to ensure the security of your system. For more information, see Encrypt a disk volume.

  • Rotate CMKs periodically

    You can periodically rotate keys and configure key versioning to enhance the security of customer master keys (CMKs). For more information, see Automatic key rotation.

Secret management

Kubernetes Secrets are used to store business-critical data and sensitive information, such as passwords, certificates, and API credentials. In open source Kubernetes, all Secrets are encoded by using Base64 and are stored in etcd. In a managed Kubernetes cluster, disk encryption is enabled for all disks that are mounted to etcd nodes in the control plane. This protects the privacy of business data. You can configure a pod to use a specified Secret by specifying specific environment variables or mounting a volume to the pod. For more information, see Secrets.

  • Use KMS to encrypt Kubernetes Secrets

    Professional managed Kubernetes clusters allow you to use a CMK in KMS to encrypt Secrets. The KMS encryption provider mechanism of Kubernetes is used during encryption. A KMS encryption provider uses envelope encryption to encrypt or decrypt Secrets that are stored in etcd. For more information, see KMS encryption provider mechanism, What is envelope encryption?, and Use KMS to encrypt Kubernetes Secrets.

  • Create a separate namespace to isolate Secrets from applications

    If you have secrets that cannot be shared among applications in a namespace, you can create a separate namespace for each application, and limit the read and write permissions on Secrets.

  • Use volumes instead of environment variables to mount Secrets

    The values of environment variables may accidentally appear in logs. Secrets that are mounted as volumes are instantiated as tmpfs volumes. These volumes are automatically removed from a node when the pod on the node is deleted.

  • Use an external Secret management system

    You can use an external Secret management system to manage your Secrets based on advanced features, such as fine-grained access control, multiple encryption algorithms, and automatic rotation of Secrets. For more information, see Overview and Vault.

    When an application in an ACK cluster requires a Secret, the Secret management system can synchronize the corresponding external Secret to the ACK cluster in real time, and then inject the Secret to the application pod as a Secret of open source Kubernetes. For example, ACK Secret Manager can synchronize Secrets to ACK clusters in real time. For more information, see ack-secret-manager.

  • Use TEE-based confidential computing

    ACK allows you to create managed Kubernetes clusters for confidential computing that are developed based on Intel Software Guard Extensions (SGX) 2.0. These clusters can help you ensure the security, integrity, and confidentiality of data computing, and also save the expenses on developing, delivering, and managing trusted or confidential applications. Confidential computing allows you to isolate sensitive data and code in a trusted execution environment (TEE). This prevents the data and code from being accessed by the rest of the system. The data stored within TEEs is inaccessible to external applications, the BIOS, the operating system, the kernel, administrators, O&M engineers, cloud service providers, and hardware components except the CPU. This reduces the possibility of data breaches and simplifies data management. For more information, see TEE-based confidential computing.