Introduction

This guide describes how to perform Kubernetes cluster storage encryption with Entrust KeyControl Vault. The Entrust KMSPlugin enables the use of encrypted Kubernetes secrets managed by KeyControl Vault.

Integration architecture

Kubernetes cluster

In this integration, a Kubernetes K3s cluster is deployed on a Red Hat Linux VM. The datastore used by the Kubernetes cluster is configured to use the Entrust KMSPlugin which in turn uses a VM Encryption Vault in KeyControl.

Entrust KMSPlugin

The Entrust KMSPlugin facilitates secure communication with the KeyControl Vault to manage encryption keys. It handles all configuration data, including authentication credentials, independently.

The plugin can be found at https://github.com/EntrustCorporation/keycontrol-kms-plugin/releases/tag/v2.0.0.

For details, see the Entrust KeyControl Vault (KCV) documentation.

KeyControl VM Encryption Vault

This vault is used as the configuration mechanism for the Entrust KMSPlugin.

Product configurations

Entrust has successfully tested the integration of KeyControl Vault with Kubernetes Storage Encryption in the following configurations:

Product	Version
Base OS	Red Hat Enterprise Linux release 9.4 (Plow)
Kubernetes (K3s)	1.32.3
KeyControl Vault	10.4.3
Entrust KMSPlugin	2.0.0

Product

Version

Base OS

Red Hat Enterprise Linux release 9.4 (Plow)

Kubernetes (K3s)

1.32.3

KeyControl Vault

10.4.3

Entrust KMSPlugin

2.0.0

KMSv2 support in Kubernetes generally starts with version 1.27 and is enabled by default in versions 1.27 and later. KMSv1 is deprecated as of Kubernetes 1.28 and disabled by default in 1.29.

Requirements

Before starting the integration process

Familiarize yourself with:

The documentation for the Entrust KeyControl Vault.
The documentation for the Entrust KMSPlugin.
The documentation and setup process for a Kubernetes cluster.