> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# etcd Secrets Encryption at Rest

> Understanding CoreWeave CKS cluster secrets encryption at rest

CoreWeave provides encryption at rest for etcd data in CoreWeave Kubernetes Service (CKS) clusters using a KMS-backed setup. For new CKS clusters created after June 24, 2025, this feature is enabled by default and requires no action from you.

<Info>
  For existing CKS clusters created on or before June 24, 2025, you need to rotate your existing Kubernetes Secrets once. After that, CoreWeave handles the entire lifecycle securely and transparently.
</Info>

In Kubernetes, [Secrets are stored unencrypted in etcd by default](https://kubernetes.io/docs/concepts/security/secrets-good-practices/#configure-encryption-at-rest).
Encryption at rest is typically configured manually using a [Key Management Service (KMS) provider](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).

With CKS, CoreWeave sets up and maintains this for you automatically.

## Rotate secrets in existing clusters

If your CKS cluster was created **before June 24, 2025**, your existing Secrets may not yet be encrypted. To ensure full encryption coverage,
you'll need to [replace the existing Secrets](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#ensuring-all-secrets-are-encrypted) once.
Any new Secrets you create going forward will be encrypted automatically.

To rotate your Secrets in place, run:

```bash theme={"system"}
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
```

## Comparison to upstream Kubernetes

While Kubernetes [offers encryption at rest as an optional config](https://kubernetes.io/docs/concepts/security/secrets-good-practices/#configure-encryption-at-rest),
CoreWeave enables it by default. Your CKS clusters have Secrets encryption at rest, with none of the operational burden.

| **Concept**                  | **Upstream Kubernetes**               | **CoreWeave CKS**                                 |
| ---------------------------- | ------------------------------------- | ------------------------------------------------- |
| KMS provider                 | You choose and configure the provider | CoreWeave                                         |
| Who manages your keys        | You manage your keys                  | CoreWeave                                         |
| Plugin config                | You write and deploy it manually      | CoreWeave provisions and injects it automatically |
| Encryption scope             | You choose what to encrypt            | CoreWeave encrypts Secrets by default             |
| Key rotation, unseal, backup | Manual setup and maintenance          | Automated by CoreWeave                            |