This integration is implemented using the Envelope Encryption scheme to secure sensitive data at rest in etcd. A Data Encryption Key (DEK) is used to encrypt the actual data, such as secrets in etcd, and a Key Encryption Key (KEK) is used to encrypt the DEK. This KEK is stored and managed in a GP HSM. Kubernetes uses the KMS v2 plugin interface to enable encryption at rest. The custom KMS plugin facilitates secure communication between Kubernetes and the HSM for key management operations.
The following section outlines the procedures required to configure both Utimaco HSM and Kubernetes components for seamless integration.