Introduction

Entrust KeyControl has been rebranded as the Entrust Cryptographic Security Platform (CSP) Key Manager.

The Entrust CSP Key Manager continues to provide a comprehensive solution for discovering and managing the lifecycles of cryptographic keys, secrets, certificates, tokens, libraries, protocols, and configurations:

The KeyControl Compliance Manager is now the Entrust CSP Compliance Manager. It still integrates with Entrust nShield Hardware Security Modules (HSMs) to protect the master keys for the CSP.
KeyControl Vault is now the Entrust Cryptographic Security Platform Vault. The Cryptographic Security Platform Vaults also still integrate with Entrust nShield HSMs to provide an optional HSM root of trust.

Because the Entrust integrations are tested against specific product versions, this guide is still branded as a "KeyControl" integration. It was tested against a pre-CSP version of KeyControl.

Exercise caution when using an Entrust Integration Guide with a product version that does not match the tested version, because your version might not function in exactly the same way.

Entrust cannot guarantee the success of integrations in configurations other than those indicated in the guide. This guide remains on the website for customers using pre-CSP versions of KeyControl.

This guide describes how to perform Kubernetes cluster storage encryption with Entrust KeyControl Vault. The Entrust KMSPlugin enables the use of encrypted Kubernetes secrets managed by KeyControl Vault.

Integration architecture

Kubernetes cluster

In this integration, a Kubernetes K3s cluster is deployed on a Red Hat Linux VM. The datastore used by the Kubernetes cluster is configured to use the Entrust KMSPlugin which in turn uses a VM Encryption Vault in KeyControl.

Entrust KMSPlugin

The Entrust KMSPlugin facilitates secure communication with the KeyControl Vault to manage encryption keys. It handles all configuration data, including authentication credentials, independently.

The plugin can be found at https://github.com/EntrustCorporation/keycontrol-kms-plugin/releases/tag/v2.0.0.

For details, see the Entrust KeyControl Vault (KCV) documentation.

KeyControl VM Encryption Vault

This vault is used as the configuration mechanism for the Entrust KMSPlugin.

Product configurations

Entrust has successfully tested the integration of KeyControl Vault with Kubernetes Storage Encryption in the following configurations:

Product	Version
Base OS	Red Hat Enterprise Linux release 9.4 (Plow)
Kubernetes (K3s)	1.32.3
KeyControl Vault	10.4.3
Entrust KMSPlugin	2.0.0

Product

Version

Base OS

Red Hat Enterprise Linux release 9.4 (Plow)

Kubernetes (K3s)

1.32.3

KeyControl Vault

10.4.3

Entrust KMSPlugin

2.0.0

KMSv2 support in Kubernetes generally starts with version 1.27 and is enabled by default in versions 1.27 and later. KMSv1 is deprecated as of Kubernetes 1.28 and disabled by default in 1.29.

Requirements

Before starting the integration process

Familiarize yourself with:

The documentation for the Entrust KeyControl Vault.
The documentation for the Entrust KMSPlugin.
The documentation and setup process for a Kubernetes cluster.