title | description | services | ms.topic | ms.date | ms.custom | ms.devlang |
---|---|---|---|---|---|---|
Enable host-based encryption on Azure Kubernetes Service (AKS) |
Learn how to configure a host-based encryption in an Azure Kubernetes Service (AKS) cluster |
container-service |
article |
04/26/2021 |
devx-track-azurepowershell, devx-track-azurecli |
azurecli |
With host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks.
By default, when using AKS, OS and data disks use server-side encryption with platform-managed keys. The caches for these disks are also encrypted at rest with platform-managed keys. You can specify your own managed keys following Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service. The cache for these disks will then also be encrypted using the key that you specify in this step.
Host-based encryption is different than server-side encryption (SSE), which is used by Azure Storage. Azure-managed disks use Azure Storage to automatically encrypt data at rest when saving data. Host-based encryption uses the host of the VM to handle encryption before the data flows through Azure Storage.
This feature can only be set at cluster creation or node pool creation time.
Note
Host-based encryption is available in Azure regions that support server side encryption of Azure managed disks and only with specific supported VM sizes.
- Ensure you have the CLI extension v2.23 or higher version installed.
- Ensure you have the
EncryptionAtHost
feature flag underMicrosoft.Compute
enabled.
To create an AKS cluster that uses host-based encryption, you must enable the EncryptionAtHost
feature flags on your subscription.
Register the EncryptionAtHost
feature flag using the az feature register command as shown in the following example:
az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
It takes a few minutes for the status to show Registered. You can check on the registration status using the az feature list command:
az feature list -o table --query "[?contains(name, 'Microsoft.Compute/EncryptionAtHost')].{Name:name,State:properties.state}"
When ready, refresh the registration of the Microsoft.Compute
resource providers using the az provider register command:
az provider register --namespace Microsoft.Compute
- Can only be enabled on new node pools.
- Can only be enabled in Azure regions that support server-side encryption of Azure managed disks and only with specific supported VM sizes.
- Requires an AKS cluster and node pool based on Virtual Machine Scale Sets(VMSS) as VM set type.
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
If you want to create clusters without host-based encryption, you can do so by omitting the --enable-encryption-at-host
parameter.
You can enable host-based encryption on existing clusters by adding a new node pool to your cluster. Configure a new node pool to use host-based encryption by using the --enable-encryption-at-host
parameter.
az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
If you want to create new node pools without the host-based encryption feature, you can do so by omitting the --enable-encryption-at-host
parameter.
Review best practices for AKS cluster security Read more about host-based encryption.