mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
28 lines
1.3 KiB
Plaintext
28 lines
1.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/encrypting-etcd.adoc
|
|
// * post_installation_configuration/cluster-tasks.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="about-etcd_{context}"]
|
|
= About etcd encryption
|
|
|
|
By default, etcd data is not encrypted in {product-title}. You can enable etcd encryption for your cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties.
|
|
|
|
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
|
|
|
|
* Secrets
|
|
* Config maps
|
|
* Routes
|
|
* OAuth access tokens
|
|
* OAuth authorize tokens
|
|
|
|
When you enable etcd encryption, encryption keys are created. You must have these keys to restore from an etcd backup.
|
|
|
|
[NOTE]
|
|
====
|
|
Etcd encryption only encrypts values, not keys. Resource types, namespaces, and object names are unencrypted.
|
|
|
|
If etcd encryption is enabled during a backup, the `__static_kuberesources_<datetimestamp>.tar.gz__` file contains the encryption keys for the etcd snapshot. For security reasons, store this file separately from the etcd snapshot. However, this file is required to restore a previous state of etcd from the respective etcd snapshot.
|
|
====
|