1 # Encrypting Secret Data at Rest
3 Before enabling Encrypting Secret Data at Rest, please read the following documentation carefully.
5 <https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/>
7 As you can see from the documentation above, 5 encryption providers are supported as of today (22.02.2022).
9 As default value for the provider we have chosen `secretbox`.
11 Alternatively you can use the values `identity`, `aesgcm`, `aescbc` or `kms`.
13 | Provider | Why we have decided against the value as default |
14 |----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
15 | identity | no encryption |
16 | aesgcm | Must be rotated every 200k writes |
17 | aescbc | Not recommended due to CBC's vulnerability to padding oracle attacks. |
18 | kms | Is the official recommended way, but assumes that a key management service independent of Kubernetes exists, we cannot assume this in all environments, so not a suitable default value. |
20 ## Details about Secretbox
22 Secretbox uses [Poly1305](https://cr.yp.to/mac.html) as message-authentication code and [XSalsa20](https://www.xsalsa20.com/) as secret-key authenticated encryption and secret-key encryption.