Etcd Volume Encryption

You must configure etcd volume encryption before bringing up your cluster. You cannot add etcd volume encryption to an already running cluster.

Encrypting Etcd Volumes Using the Default AWS KMS Key

Edit your cluster to add encryptedVolume: true to each etcd volume:

kops edit cluster ${CLUSTER_NAME}

...
etcdClusters:
- etcdMembers:
  - instanceGroup: master-us-east-1a
    name: a
    encryptedVolume: true
  name: main
- etcdMembers:
  - instanceGroup: master-us-east-1a
    name: a
    encryptedVolume: true
  name: events    
...

Update your cluster:

kops update cluster ${CLUSTER_NAME}
# Review changes before applying
kops update cluster ${CLUSTER_NAME} --yes

Encrypting Etcd Volumes Using a Custom AWS KMS Key

Edit your cluster to add encryptedVolume: true to each etcd volume:

kops edit cluster ${CLUSTER_NAME}

...
etcdClusters:
- etcdMembers:
  - instanceGroup: master-us-east-1a
    name: a
    encryptedVolume: true
    kmsKeyId: <full-arn-of-your-kms-key>
  name: main
- etcdMembers:
  - instanceGroup: master-us-east-1a
    name: a
    encryptedVolume: true
    kmsKeyId: <full-arn-of-your-kms-key>
  name: events    
...

Update your cluster:

kops update cluster ${CLUSTER_NAME}
# Review changes before applying
kops update cluster ${CLUSTER_NAME} --yes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

etcd_volume_encryption.md

etcd_volume_encryption.md

Etcd Volume Encryption

Encrypting Etcd Volumes Using the Default AWS KMS Key

Encrypting Etcd Volumes Using a Custom AWS KMS Key

Files

etcd_volume_encryption.md

Latest commit

History

etcd_volume_encryption.md

File metadata and controls

Etcd Volume Encryption

Encrypting Etcd Volumes Using the Default AWS KMS Key

Encrypting Etcd Volumes Using a Custom AWS KMS Key