-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow root volume encryption (on AWS) #9728
Comments
/kind feature |
@MichaelJDrK do you really need a specific KMS key or the default one will do just fine? |
Sorry for the late answer, I've been on vacation. Yes, for compliance reasons we have to use customer managed keys (CMK), so we need to provide a specific KMS key |
OK, thanks for explaining. Will try to add the encryption keys also in kops 1.19. |
so as of right now will the root volume encryption flag use the default? Or is the flag just added to the spec, but not actively used? Edit: nvm see that it's being passed through to the auto scaling group. |
As of today which 1.19 is in beta i only see the the root volume encryption can enabled but not with a custom kms key. Correct me if i am wrong.. see here the code 36fbf9f#diff-a0bf037707fdd86cfc323f077cc9fff8c5b3bc7dbf6bfc23cfcb6ae572ce88f3 @hakman Can you please verify the status of this? |
Nope, it is just a field now waiting for its realisation. I hope i'll commit it soon. |
@hakman we faced with issue that if you add volume encryption key and encryption itself kops provide new version of launch template, but it doesn't switch default version to new version of launch template. So we should do it manually. |
@DOboznyi please create an issue with simplest way to reproduce the problem and will take a look. |
When you have to use encryption at rest, you currently have to create your own encrypted AMIs on AWS and use these as base image.
With AWS you can create EC2 instances directly from a public AMI with an encrypted root volume with you own KMS key. In Terraform, for example, you could do this:
InstanceGroups should support this, too. Suggestion:
The text was updated successfully, but these errors were encountered: