July 9, 2025 - CKS encryption at rest
CKS now supports encryption at rest for enhanced data security and compliance
Change CKS CoreWeave enables encryption at rest for Kubernetes Secrets by default in all CoreWeave Kubernetes Service (CKS) clusters. This feature uses a KMS-backed integration to encrypt etcd data automatically, providing enhanced security for sensitive configuration data.
Overview
CoreWeave Kubernetes Service (CKS) now enables encryption at rest for Kubernetes Secrets by default in all CKS clusters. This feature uses a KMS-backed integration to encrypt etcd data automatically, providing enhanced security for sensitive configuration data. Encryption at rest protects data stored on disk by encrypting it when it's not actively being used. This ensures that even if someone gains physical access to the storage media, they cannot read the encrypted data without the proper encryption keys.
Benefits
- Enhanced Security: Protects sensitive data even if storage is compromised
- Compliance: Meets regulatory requirements for data protection
- Transparent Operation: No changes required to applications or workflows
- Automatic Management: Encryption keys are managed automatically
- Zero Downtime: Can be enabled on existing clusters without disruption
How it works
KMS integration
CKS uses a Key Management Service (KMS) to handle encryption keys:
- Key Generation: KMS generates encryption keys for each cluster
- Key Storage: Keys are stored securely in the KMS
- Data Encryption: etcd data is encrypted using these keys
- Key Rotation: Keys are automatically rotated for security
Encryption process
- When a Secret is created, it's encrypted before being stored in etcd
- When a Secret is retrieved, it's automatically decrypted
- All encryption/decryption happens transparently to applications
Configuration
Automatic enablement
Encryption at rest is automatically enabled for all new CKS clusters created after July 9, 2025. No additional configuration is required.
Existing clusters
For existing clusters, encryption can be enabled through the CKS API:
# Enable encryption for existing clustercurl -X PATCH \-H "Authorization: Bearer $CKS_TOKEN" \-H "Content-Type: application/json" \-d '{"spec":{"encryptionAtRest":{"enabled":true}}}' \https://api.coreweave.com/v1/clusters/{cluster-id}
Verification
Check if encryption is enabled:
# Check cluster encryption statuskubectl get cluster -o jsonpath='{.items[0].status.encryptionAtRest.enabled}'# Check etcd encryption statuskubectl get apiserver -o jsonpath='{.items[0].spec.encryptionConfig}'
Supported data types
The following Kubernetes resources are encrypted:
- Secrets: All Secret objects
- ConfigMaps: Sensitive configuration data
- Custom Resources: Custom resource definitions
- Service Accounts: Service account tokens
Security features
Key management
- Automatic Key Rotation: Keys are rotated every 90 days
- Key Backup: Keys are backed up securely
- Access Control: Key access is restricted to authorized services
- Audit Logging: All key operations are logged
Encryption standards
- Algorithm: AES-256-GCM
- Key Size: 256-bit keys
- Mode: Galois/Counter Mode (GCM) for authenticated encryption
Monitoring and troubleshooting
Check encryption status
# Check if encryption is workingkubectl get secret test-secret -o yaml# Look for encryption annotation# Check etcd encryption statuskubectl get apiserver -o jsonpath='{.items[0].status.conditions[?(@.type=="EncryptionReady")].status}'
Common issues
Encryption not enabled
If encryption is not enabled on an existing cluster:
# Enable encryptionkubectl patch cluster {cluster-name} \--type='merge' \-p='{"spec":{"encryptionAtRest":{"enabled":true}}}'# Wait for encryption to be readykubectl wait --for=condition=EncryptionReady cluster/{cluster-name}
Performance impact
Encryption adds minimal overhead:
- CPU: < 5% additional CPU usage
- Latency: < 10ms additional latency
- Throughput: No significant impact on throughput
Key rotation issues
If key rotation fails:
# Check key rotation statuskubectl get events --field-selector reason=EncryptionKeyRotation# Manually trigger key rotationkubectl annotate cluster {cluster-name} \encryption.coreweave.com/rotate-keys=true
Compliance and auditing
Audit logs
All encryption operations are logged:
# View encryption audit logskubectl logs -n kube-system deployment/kube-apiserver | grep encryption# Check KMS audit logskubectl logs -n kube-system deployment/kms-provider | grep key
Compliance reports
Generate compliance reports:
# Export encryption statuskubectl get cluster -o json > cluster-encryption-status.json# Generate compliance reportcks-compliance-report --encryption --output=json
Migration guide
Pre-migration checklist
- Backup Data: Ensure all data is backed up
- Test Environment: Test encryption in a non-production cluster
- Application Compatibility: Verify applications work with encrypted Secrets
- Monitoring: Set up monitoring for encryption status
Migration steps
Step 1: Enable encryption
# Enable encryption at restkubectl patch cluster {cluster-name} \--type='merge' \-p='{"spec":{"encryptionAtRest":{"enabled":true}}}'
Step 2: Monitor progress
# Watch encryption progresskubectl get cluster {cluster-name} -w# Check for any errorskubectl get events --field-selector involvedObject.name={cluster-name}
Step 3: Verify completion
# Verify encryption is completekubectl get cluster {cluster-name} -o jsonpath='{.status.encryptionAtRest.status}'# Test with a new Secretkubectl create secret generic test-secret --from-literal=key=valuekubectl get secret test-secret -o yaml
Rollback plan
If issues occur, encryption can be disabled:
# Disable encryption (emergency only)kubectl patch cluster {cluster-name} \--type='merge' \-p='{"spec":{"encryptionAtRest":{"enabled":false}}}'
Best practices
Application development
- Use Secrets: Store sensitive data in Secrets, not ConfigMaps
- Limit Access: Use RBAC to limit access to Secrets
- Rotate Credentials: Regularly rotate application credentials
- Monitor Access: Monitor Secret access patterns
Cluster management
- Regular Backups: Maintain regular backups of encrypted data
- Key Rotation: Monitor key rotation status
- Compliance: Generate regular compliance reports
- Testing: Test encryption in staging environments
Security
- Access Control: Limit access to encryption keys
- Audit Logs: Monitor encryption audit logs
- Incident Response: Have a plan for encryption-related incidents
- Documentation: Document encryption procedures
API reference
Cluster configuration
apiVersion: coreweave.com/v1kind: Clustermetadata:name: my-clusterspec:encryptionAtRest:enabled: trueprovider: "kms"keyRotationPeriod: "90d"
Status fields
status:encryptionAtRest:enabled: truestatus: "Ready"lastKeyRotation: "2025-07-09T10:00:00Z"nextKeyRotation: "2025-10-07T10:00:00Z"provider: "kms"
Support
For issues with encryption at rest:
- Check the CKS documentation
- Review CKS overview
- Contact CoreWeave support with cluster details and logs