etcd data in CoreWeave Kubernetes Service (CKS) clusters using a KMS-backed setup. For new CKS clusters created after June 24, 2025, this feature is enabled by default and requires no action from you.
For existing CKS clusters created on or before June 24, 2025, you must rotate your existing Kubernetes Secrets once. After that, CoreWeave handles the lifecycle for you.
etcd by default.
You typically configure encryption at rest manually using a Key Management Service (KMS) provider.
With CKS, CoreWeave sets up and maintains this for you automatically.
Rotate Secrets in existing clusters
If your CKS cluster was created before June 24, 2025, your existing Secrets might not yet be encrypted. To ensure full encryption coverage, replace the existing Secrets once. Going forward, CoreWeave encrypts any new Secrets you create automatically. The following command rotates your Secrets in place by replacing each existing Secret with itself, which triggers the KMS provider to encrypt them:etcd alongside any new Secrets you create.
Comparison to upstream Kubernetes
This section summarizes how CKS Secrets encryption differs from a self-managed upstream Kubernetes setup, so you can see which responsibilities CoreWeave handles for you. While Kubernetes offers encryption at rest as an optional config, CoreWeave enables it by default. Your CKS clusters have Secrets encryption at rest, without the operational burden.| Concept | Upstream Kubernetes | CoreWeave CKS |
|---|---|---|
| KMS provider | You choose and configure the provider | CoreWeave |
| Who manages your keys | You manage your keys | CoreWeave |
| Plugin config | You write and deploy it manually | CoreWeave provisions and injects it automatically |
| Encryption scope | You choose what to encrypt | CoreWeave encrypts Secrets by default |
| Key rotation, unseal, backup | Manual setup and maintenance | Automated by CoreWeave |