clauney

@nilekhc We're being asked about encryption at rest of etcd for an internal security review of my team's applications hosted in AKS, and I ran across this thread in doing...

@nilekhc thank you for the into and info. @miwithro do you mean it's base64 encoded? My experience with base64 encoding is you can decode it with CLI / other tools...is...

@miwithro thanks for that additional info. We don't really need the ability to bring our own key; this is more about the need to just have the content of secrets...

BTW - it would be better, IMO, to make this more clear in AKS documentation. Base64 encoding isn't encryption, in that it can be reversed by anyone without any other...

@miwithro is there a plan to have AKS implement the aks-engine enableDataEncryptionAtRest feature described [here](https://github.com/Azure/aks-engine/blob/master/docs/topics/clusterdefinitions.md)? From a look at https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/, that *does* implement a process to encrypt secrets with a...

In any case, much thanks to @miwithro and @nilekhc for your engagement on this! I am glad to have a direction to explore soon.

Thanks! We'll check that out too, especially the synced option. I was looking to limit latency / etc. so wanted to avoid direct hits to KV, and the sync described...