Base64 is not encryption - a better story for Kubernetes Secrets

Presented at Diana Initiative 2019, Aug. 9, 2019, 2 p.m. (60 minutes)

Secrets are a key pillar of Kubernetes’ security model, used internally (e.g. service accounts) and by users (e.g. API keys), but did you know they are stored in plaintext? That’s right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets.

Thankfully there are better ways. This lecture provides an overview of different techniques for more securely managing secrets in Kubernetes including secrets encryption, KMS plugins, and tools like HashiCorp Vault. Attendees will learn the tradeoffs of each approach to make better decisions on how to secure their Kubernetes clusters.

Presenters:

• Seth Vargo - Developer Relations Engineer at Google
  Seth Vargo is a Developer Relations Engineer at [Google](https://cloud.google.com/). Previously he worked at HashiCorp, Chef Software, CustomInk, and a few Pittsburgh-based startups. He is the author of [Learning Chef](https://www.amazon.com/Learning-Chef-Configuration-Management-Automation/dp/1491944935) and is passionate about reducing inequality in technology. When he is not writing, working on open source, teaching, or speaking at conferences, Seth enjoys spending time with his friends and advising non-profits.

Links:

• https://dianainitiative2019.busyconf.com/schedule#activity_5c5c8c2ee40bd662dc000226

Similar Presentations:

• Canterbury Hacker Camp (2022) / Attack on Kubernetes
• HushCon Seattle 2019 / Down the sinkhole with kubernetes
• DerbyCon 9.0 Finish Line (2019) / Prepare to Be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty