Azure AKS encrypt OS and Data disk for worker nodes RRS feed

  • Question

  • We are running our application in AKS Cluster. To make secure our AKS Worker nodes, we want to enable Encryption on OS and Data disk on worker nodes. So could you please help us to share the steps for enable encryption on AKS Node agents.

    Tuesday, September 10, 2019 10:53 AM

All replies

  • Hi,

    The disks used by Azure nodes are already encrypted by the Azure  Platform.

    For more information, Please check this Document.

    Microsoft manages the keys for encryption. Custom keys(user provided) for  encryption is not supported. 

    Tuesday, September 10, 2019 11:34 AM
  • I could not see the encryption enabled on OS and Data disks after deployed the AKS Cluster. My requirement is that Data disk should be encrypted when attaching to any node in the cluster.

    Tuesday, September 10, 2019 11:41 AM
  • Hi,

    I have gone through the doc and saw the below one  in node security

    The data stored on managed disks is automatically encrypted at rest within the Azure platform.

    Can you please clarify my below question?

    *) Are pvc attached to Worker nodes encrypted?

    *) Do I need to make any changes in below storage class yaml file for creating encrypting data disk.

    kind: StorageClass
      labels: "true"
      name: managed-premium
      cachingmode: ReadOnly
      kind: Managed
      storageaccounttype: Premium_LRS
    reclaimPolicy: Delete
    volumeBindingMode: Immediate

    Tuesday, September 10, 2019 12:01 PM
  • HI,

    Please find my answers inline.

    Question: Are pvc attached to Worker nodes encrypted?

    All manages disks in Azure are encrypted at rest including the disk backed by PVC.

    Question: Do I need to make any changes in below storage class yaml file for creating encrypting data disk.

    No need to change things in the yaml.

    This document provides more information about Storage service encryption.

    Note: Customer-managed keys are not supported for Azure managed disks.

    For the benefit of the community, Please click on "mark as answer" for the replied which solved your problem.
    Wednesday, September 11, 2019 4:54 AM
  • Hi,

    I'm bit confused here, I can see the disks on the AKS worker nodes are not encryption enabled but you are saying that data at rest in storage account is encrypted by default. 

    So the question here is can i enable encryption at AKS worker nodes on OS and Data disk level not at storage level?

    How can I retrieve encrypted data from storage if incase of failure?

    Wednesday, September 11, 2019 6:14 AM
  • HI,

    I will check about enabling encryption on the AKS worker node level and let you know.

    Currently modifying the resources under the Node resource group will break the Service level Objective(SLO and not SLA)

    Please refer to this link

    Generally AKS nodes will come and go during scaling , upgrades etc. So we should not save anything on the OS disk. All modifications to the os disk has to be done via daemonsets only.

    Data disk remain. I dont know how to enable encryption for data disks or if its needed to enable for AKS.

    I will check that with my team and let you know.

    Friday, September 13, 2019 12:46 PM
  • Hi,

    I reached out to the internal teams.

    I will let you know once i have some information

    Wednesday, September 18, 2019 8:46 AM
  • HI,

    I check with the internal teams.

    Encrypting the disks with your own key is not supported for AKS nodes.

    Disks(at rest) is encrypted by the azure platform with the keys managed by azure.

    Friday, September 20, 2019 12:15 PM