etcd Secrets Encryption at Rest
Understanding CoreWeave CKS cluster secrets encryption at rest
CoreWeave provides encryption at rest for etcd data in CoreWeave Kubernetes Service (CKS) clusters using a KMS-backed setup. For new CKS clusters created after June 24, 2025, this feature is enabled by default and requires no action from you.
For existing CKS clusters created on or before June 24, 2025, you need to rotate your existing Kubernetes Secrets once. After that, CoreWeave handles the entire lifecycle securely and transparently.
In Kubernetes, Secrets are stored unencrypted in etcd by default. Encryption at rest is typically configured manually using a Key Management Service (KMS) provider.
With CKS, CoreWeave sets up and maintains this for you automatically.
Rotate secrets in existing clusters
If your CKS cluster was created before June 24, 2025, your existing Secrets may not yet be encrypted. To ensure full encryption coverage, you'll need to replace the existing Secrets once. Any new Secrets you create going forward will be encrypted automatically.
To rotate your Secrets in place, run:
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
Comparison to upstream Kubernetes
While Kubernetes offers encryption at rest as an optional config, CoreWeave enables it by default. Your CKS clusters have Secrets encryption at rest, with none of the operational burden.
| Concept | Upstream Kubernetes | CoreWeave CKS |
|---|---|---|
| KMS provider | You choose and configure the provider | CoreWeave |
| Who manages your keys | You manage your keys | CoreWeave |
| Plugin config | You write and deploy it manually | CoreWeave provisions and injects it automatically |
| Encryption scope | You choose what to encrypt | CoreWeave encrypts Secrets by default |
| Key rotation, unseal, backup | Manual setup and maintenance | Automated by CoreWeave |