July 9, 2025 - CKS encryption at rest
CKS now supports encryption at rest for enhanced data security and compliance
Change CKS CoreWeave enables encryption at rest for Kubernetes Secrets by default in all CoreWeave Kubernetes Service (CKS) clusters. This feature uses a KMS-backed integration to encrypt etcd data automatically, providing enhanced security for sensitive configuration data.
Overview
Encryption at rest for Kubernetes Secrets is now enabled by default across all CoreWeave Kubernetes Service (CKS) clusters. This enhancement leverages a KMS-backed integration to automatically encrypt etcd data, providing stronger protection for sensitive configuration information.
The feature was activated for new CKS clusters on June 24, 2025. As of July 9, 2025, encryption at rest has been rolled out to all existing clusters.
If your cluster was created on or before June 24, 2025, you'll need to replace your existing Secrets once.
$kubectl get secrets --all-namespaces -o json | kubectl replace -f -
After that, Secrets will be encrypted automatically, and CoreWeave manages the encryption lifecycle for you.