All Products
Search

This Product

    Key Management Service:Use KMS to encrypt Kubernetes Secrets at rest

    Document Center

    Key Management Service:Use KMS to encrypt Kubernetes Secrets at rest

    Last Updated:Mar 31, 2026

    Container Service for Kubernetes (ACK) integrates with Key Management Service (KMS) to encrypt Kubernetes Secrets stored in etcd using a customer master key (CMK) you manage.

    A Kubernetes cluster in the initialized state (without business load) has about 50 Secrets. Protecting these Secrets is essential to prevent unauthorized access to sensitive credentials and keys.

    How it works

    ACK uses the KMS provider mechanism of Kubernetes and envelope encryption to protect Secrets in etcd.

    Encryption (storing a Secret):

    1. The API server generates a random data key and uses it to encrypt the Secret.

    2. KMS encrypts the data key using your CMK.

    3. The ciphertext of the data key is stored in etcd alongside the encrypted Secret.

    Decryption (retrieving a Secret):

    1. KMS decrypts the data key using your CMK.

    2. The API server uses the plaintext data key to decrypt the Secret.

    3. The decrypted Secret is returned.

    For background on envelope encryption, see Use envelope encryption to encrypt and decrypt local data.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account assigned the AliyunCSManagedSecurityRole role (if not assigned, ACK prompts you to complete this when you enable Secret encryption)

    • A RAM user granted the AliyunKMSCryptoAdminAccess permission — see Grant permissions to a RAM user

    • A CMK of the Aliyun_AES_256 type created in the KMS console — only this key type is supported; see Create a CMK

    • An ACK Pro cluster — Secret encryption at rest is only available for ACK Pro clusters

    Enable Secret encryption when creating a cluster

    1. Log on to the ACK console.

    2. On the Clusters page, click Cluster Templates in the upper-right corner.

    3. In the Select Cluster Template dialog box, select Professional Managed Kubernetes Cluster and click Create.

    4. On the ACK Managed Cluster tab, find Secret Encryption, select Select Key, and choose a CMK ID from the drop-down list.

    5. Complete the remaining configuration by following the on-screen instructions.

    For a full walkthrough, see Create an ACK Pro cluster.

    Enable Secret encryption on an existing cluster

    1. On the Clusters page, click the name of the ACK Pro cluster.

    2. Click the Basic Information tab. In the Basic Information section, turn on Secret Encryption.

    3. In the Secret Encryption dialog box, select a CMK ID from the Existing Key drop-down list and click OK.

    The cluster status changes from Updating to Running when Secret encryption is successfully enabled.

    Verify Secret encryption

    Use the following method to confirm that Secret encryption is active.

    1. Open the ActionTrail console and go to the Event Detail Query page.

    2. Filter events by the AliyunCSManagedSecurityRole role.

    3. Confirm that encryption and decryption events appear in the results.

    All KMS CMK operations for your cluster are recorded in ActionTrail.