X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=XTesting%2Fkubespray%2Fdocs%2Fencrypting-secret-data-at-rest.md;fp=XTesting%2Fkubespray%2Fdocs%2Fencrypting-secret-data-at-rest.md;h=36742821e85719db0e94ed6201587e4846faeee2;hb=31af17bb5935b722dcf59d5800aaff9e789cfa93;hp=0000000000000000000000000000000000000000;hpb=c8bda4f07b7e87beb2aa3d8729f9b0b456d4da6f;p=it%2Ftest.git diff --git a/XTesting/kubespray/docs/encrypting-secret-data-at-rest.md b/XTesting/kubespray/docs/encrypting-secret-data-at-rest.md new file mode 100644 index 0000000..3674282 --- /dev/null +++ b/XTesting/kubespray/docs/encrypting-secret-data-at-rest.md @@ -0,0 +1,22 @@ +# Encrypting Secret Data at Rest + +Before enabling Encrypting Secret Data at Rest, please read the following documentation carefully. + + + +As you can see from the documentation above, 5 encryption providers are supported as of today (22.02.2022). + +As default value for the provider we have chosen `secretbox`. + +Alternatively you can use the values `identity`, `aesgcm`, `aescbc` or `kms`. + +| Provider | Why we have decided against the value as default | +|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| identity | no encryption | +| aesgcm | Must be rotated every 200k writes | +| aescbc | Not recommended due to CBC's vulnerability to padding oracle attacks. | +| kms | Is the official recommended way, but assumes that a key management service independent of Kubernetes exists, we cannot assume this in all environments, so not a suitable default value. | + +## Details about Secretbox + +Secretbox uses [Poly1305](https://cr.yp.to/mac.html) as message-authentication code and [XSalsa20](https://www.xsalsa20.com/) as secret-key authenticated encryption and secret-key encryption.