Join Log in
Score:1
P.... avatar Server

Decrypting Kubernetes secret using the encryption key

ly flag
P....

I have a toy Kubernetes cluster with Encryption at rest enabled using the abs-256-cbc provider; I have not used any vault here for kms simulating the problem. This means the encryption key is in a plain text file on the master node.

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: c2VjcmV0IGlzIHNlY3VyZQ==
      - identity: {}

Assuming the encryption key c2VjcmV0IGlzIHNlY3VyZQ== is leaked, is there any chance to decrypt the secrets stored in the etcd?

Example:

Secret creation:

k create secret generic secret1-no-encryption --from-literal foo="admin@123"
secret/secret1-no-encryption created

Reading the secret from etcd when its NOT encrypted:

sudo ETCDCTL_API=3 etcdctl --endpoints https://192.168.122.191:2379 --cert=/etc/ssl/etcd/ssl/node-test-kube-controller-1.pem --key=/etc/ssl/etcd/ssl/node-test-kube-controller-1-key.pem --cacert=/etc/ssl/etcd/ssl/ca.pem get /registry/secrets/default/secret1-no-encryption
/registry/secrets/default/secret1-no-encryption
k8s

v1Secret▒
▒
secret1-no-encryptiondefault"*$3d45ddaa-2e34-4605-92d2-ad2ad31592692▒▒▒▒`
kubectl-createUpdatev▒▒▒FieldsV1:,
*{"f:data":{".":{},"f:foo":{}},"f:type":{}}B
foo     admin@123Opaque"

Attempt to read secret when the etcd is encrypted:

sudo ETCDCTL_API=3 etcdctl --endpoints https://192.168.122.191:2379 --cert=/etc/ssl/etcd/ssl/node-test-kube-controller-1.pem --key=/etc/ssl/etcd/ssl/node-test-kube-controller-1-key.pem --cacert=/etc/ssl/etcd/ssl/ca.pem get /registry/secrets/default/secret2-with-encryption
/registry/secrets/default/secret2-with-encryption
k8s:enc:aescbc:v1:key1:n%-▒▒▒▒▒Ԩ▒qB▒x'V▒F▒y`l▒_X▒n
                                                  8#EEg▒!▒▒Mnk▒S▒▒KQ▒▒F▒NyJ▒$▒J▒▒Q`▒3m▒▒_▒▒U▒!7ZP▒bm▒x▒▒▒\▒{▒)e▒4▒Q-L▒#▒▒▒ձ▒<8▒▒ndd}Ҏ▒|1k▒▒>▒▒▒J▒R▒.▒▒c▒mɹ▒Q▒D▒▒Z▒▒H▒4▒~.▒F▒▒j▒▒C▒י%▒▒8▒▒▒8▒ޥE`Kp;▒%▒▒/e▒▒▒▒{.m▒c͍.˻▒▒1▒▒▒ݑ=u▒{▒▒~▒KP▒▒v7ϋ'▒{d]#
                     +▒<M

Question:

Is knowledge of the encryption key enough to decrypt the etcd contents? if just the encryption key is not enough to decrypt the content(perhaps IV is required), why bother using KMS(except key rotation)? Is there any way IV can also be leaked?

Is it authoritatively safe to say just the key leak could not cause the decryption of the etcd contents?

226
0 + 2
Kiran Kotturi avatar
nu flag
Kiran Kotturi
The encryption key leak will not cause the decryption of the "etcd" contents directly as it has many security layers but it will act as a tool which can cause a data breach and spread malware.
0
Reply
U880D avatar
ca flag
U880D
"_Is it authoritatively safe to say just the key leak could not cause the decryption of the `etcd` contents?_" someone would also need the database entries and be able to decrypt them like in [How can I encrypt / decrypt AES-256 CBC with OpenSSL?](https://superuser.com/a/1361462/754490) or [How to use OpenSSL to encrypt/decrypt files?](https://stackoverflow.com/a/16056298/6771046).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.