@badalk as of now AKS only supports and uses SSE. There is no option to encrypt the disks at any other level.

You can provide feedback if you want to see that feature implemented here:

https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks

So the data is encrypted for the attached volumes (using Azure managed disks) and keys are managed by Microsoft as it is using SSE - can you confirm

In addition, if I want to encrypt the etcd store the only option to do it is using the kubernetes keyvault flextool from github -> https://github.com/Azure/kubernetes-keyvault-flexvol to ensure if there are any secrets and any sensitive data stored is encrypted. But is this supported by Microsoft?
This way we can ensure entire cluster data whether application specific or by the cluster is encrypted at rest.

I read somewhere that encrypting etcd store will break the SOP and you will be on your own..

I need to get this confirmed as this is a go no-go decision for us and urgent.

Please confirm

@badalk all data in Azure is encrypted at rest. This means SSE. This applies to any data in Azure. Regardless of if you are using storage by itself, VMs, App service, AKS, etc.

What encrypted as rest means is that the physical data drives located inside the Azure Datacenters are all encrypted. So if a data disk were to ever make it way outside of a data center the data is encrypted and cannot be access. What Azure does when you are accessing the data via the portal or through connecting to the cluster is we decrypt the data in the pipeline before it reaches you. Which is why you can access the data as if it was unencrypted.

For Virtual Machines as an example, you can add Azure Disk Encryption as an added layer of security. This will encrypt the data at the OS level. So if someone were to access your VM but did not have the key to the data disks they would not be able to access the data. Just as encryption on premise works.

I am not overfly familiar with the keyvault-flexvol. It appears to be a way to access the keyvault from within your cluster.

Just to clarify, the VM extension for encryption is on the AKS roadmap for native support, but is not currently supported for use with the AKS nodes.

• @sauryadas and @seanmck for confirmation on the current status of support for flexvol, please.

Understand and thanks for that detailed response @MicahMcKittrick-MSFT

I still need confirmation on encrypting data in etcd as it would maintain some secrets over a period of time and this is a go-no-go for us. I checked the flex-tool, it has approaches for ACS and for on-prem cluster and i tried option 1 (Manual) using service principal approach but issue here is the Kubernetes secret generated from client id and secret of service principal is still base64 encoded and not encrypted, that still doesn't make it secure.
I was trying Option 2 (using MSI) but that did not work as it says there is no such resource as AzureIdentity or AzureIdentityBinding. Not sure if these are specific to ACS

Any information on that part would be greatly appreciated. I have added another comment in FAQ section on the same topic.

15278

@badalk we can address all issues in this issue. No need to open multiple issues as it can become a bit confusing.

@badalk I appreciate you asking these questions. And they are are valid questions. The scope for these comments on the docs are to help identify issues when running through the doc or items that we should add to the doc to make things more clear while you are following the instructions.

Myself and others who are working in these doc comments do have some knowledge about the product however some of these deeper product questions such as you are asking are best answered directly by the team that designs the product itself. We simply manage the doc walk through portion. We obviously can answer some of the product questions themselves but not all of them due to knowledge depth.

Here are the suggested areas and how to use them

Product Questions/ Bugs in the product
https://github.com/Azure/AKS/issues

Product Feedback/ Feature Suggestions
https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks

General Troubleshooting Assistance
https://stackoverflow.com/questions/tagged/azure-kubernetes

The above links are where the Product Group members who design and work directly with AKS are located as well as a large community of other users who have a good grasp of the product and understand the ins and outs.

It sounds like you are needing some answers in order to move forward with AKS. I completely understand this and I would not want to steer you wrong. Hence, asking in the above channels will get you the answers you need and they will come directly from the product members who design the product itself so you know they are correct.

If you open an issue on the AKS GitHub page directly you are more than welcome to CC me in it as well. Also, from your Support ticket we had you open a bit ago you also have my email with you are more than welcome to reach out to me directly as well. In most cases I will still need to direct you to the AKS github repo but if I know the answer I am more than happy to share it with you directly.

If you are ever running through a doc and encounter an issue please do open a comment so we can take a look and see why the walk through might not be working. Otherwise I would suggest using the above links I provided so you get the correct support and your questions answered.

I appreciate you using AKS as I also really enjoy it. I just want to make sure you have the correct resources available so you can get your questions answered correctly and continue with your development.

@badalk I will close this out out for now.

Please feel free to reach out to me offline if you have additional asks that the above links I provided are not helping on :)