All Products
Search

This Product

    Key Management Service:Use KMS to one-click encrypt Kubernetes cluster Secrets

    Document Center

    Key Management Service:Use KMS to one-click encrypt Kubernetes cluster Secrets

    Last Updated:Mar 31, 2026

    Container Service for Kubernetes (ACK) lets you use a customer master key (CMK) in Key Management Service (KMS) to encrypt Secrets stored in etcd on professional managed Kubernetes clusters. This protects sensitive data—passwords, certificates, credentials, and access keys—stored across your cluster's about 50 built-in Secrets and any application Secrets you create.

    How it works

    ACK uses the KMS provider mechanism of Kubernetes to implement envelope encryption. Envelope encryption uses two layers of keys:

    • Data Encryption Key (DEK): A unique key generated for each Secret. The DEK encrypts the actual Secret data.

    • Key Encryption Key (KEK): Your CMK in KMS. The KEK encrypts the DEK.

    Encryption flow

    When you store a Kubernetes Secret via the Kubernetes Secret API:

    1. The API server generates a random DEK.

    2. The DEK encrypts the Secret data.

    3. KMS encrypts the DEK using your CMK.

    4. The ciphertext of the DEK is stored in etcd alongside the encrypted Secret.

    Decryption flow

    When you retrieve a Secret:

    1. KMS decrypts the DEK ciphertext using your CMK (via the Decrypt operation).

    2. The plaintext DEK decrypts the Secret data.

    3. The decrypted Secret is returned.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account assigned the AliyunCSManagedSecurityRole role. If the role is not assigned, you are prompted to assign it when you enable Secret encryption

    • A RAM user granted the AliyunKMSCryptoAdminAccess permission. For details, see Grant permissions to a RAM user

    • A CMK of the Aliyun_AES_256 type created in the KMS console. For details, see Create a CMK

    Note Only CMKs of the Aliyun_AES_256 type are supported.

    Enable Secret encryption at rest on a new cluster

    1. Log on to the ACK console.

    2. In the left-side navigation pane, click Clusters.

    3. In the upper-right corner of the Clusters page, click Cluster Template.

    4. In the Select Cluster Template dialog box, select Professional Managed Kubernetes Cluster and click Create.

    5. On the Managed Kubernetes tab, find Secret Encryption, select Select Key, and choose a CMK ID from the drop-down list.

    6. Set the remaining parameters and complete cluster creation.

    For full cluster creation details, see Create an ACK Pro cluster.

    Enable Secret encryption at rest on an existing cluster

    1. On the Clusters page, click the name of the professional managed Kubernetes cluster.

    2. Click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.

    3. In the Secret Encryption dialog box, select a CMK ID from the Existing Key drop-down list and click OK.

    When the cluster status changes from Updating to Running, Secret encryption at rest is enabled.

    Verify encryption

    To confirm that Secret encryption is active:

    1. Open the ActionTrail console.

    2. Go to the Event Detail Query page.

    3. Filter events by the AliyunCSManagedSecurityRole role and look for KMS encrypt or decrypt calls.

    If KMS events appear, Secret encryption at rest is active for the cluster.

    Related topics