I want to have a per client namespace and storage in my kubernetes environment where a dedicated instance of app runs per client and only client should be able to encrypt/decrypt the storage being used by that particular client's app. I have seen hundreds of examples on secrets encryption in kubernetes environment but struggling to achieve actual storage encryption that is controlled by the client. is it possible to have a storage encryption in K8s environment where only client has the knowledge of encryption keys (and not the k8s admin) ?
1
There are 1 best solutions below
Related Questions in ENCRYPTION
- How to customize the output of the Postgres Pseudo Encrypt function?
- encrypted email with entrust certificate is not opening with MS Outlook
- Encrypting with Crypto Node.js and decrypt with window.crypto in Service-Worker
- How to decrypt identity section in web config?
- An exception of type 'System.Security.Cryptography.CryptographicException': keyset does not exist
- IBM DB2 native encryption applied on live database
- crypto.BadPaddingException: data hash wrong (EKYC-Response)
- searchable row level encryption using java?
- AES 256 and Base64 Encrypted string works on iOS 8 but truncated on iOS 7
- Decrypted string returns "Length of the data to decrypt is invalid"
- Storing Encryption Key in Application
- Decryption password Encrypted using Encryptbypassphrase of SQL Server in Java
- Using HTTPS or encrypt response myself
- Encrypting (large) files in PHP with openSSL
- Writing a code to decrypt message from a text file
Related Questions in KUBERNETES
- How to know a Pod's own IP address from inside a container in the Pod?
- Who will decide the "specified number of pods" for replication controller in kubernetes?
- Access other containers of a pod in Kubernetes
- Kubernetes cluster using Vagrant not working after restart
- kubectl not installed with gcloud SDK
- How do I access the Kubernetes api from within a pod container?
- Exposing several services with Vagrant and Kubernetes on my own server
- Does Kubernetes provision new VMs for pods on my cloud platform?
- Any suggestion for running Aerospike on Kubernetes on CoreOS on GCE?
- Kubernetes - kubectl exec bash - session drop and line width
- Google Container Engine (GKE): "Hello Wordpress" tutorial not working (ERR_CONNECTION_REFUSED)
- Kubernetes Pod Creation Speed
- How can i set max count of pods for replication-controller per node?
- Is there a way to tell kubernetes to update your containers?
- Postgres with Kubernetes and persistentDisk
Related Questions in KUBERNETES-SECURITY
- IAM and RBAC Conflicts on Google Cloud Container Engine (GKE)
- Restricted Kubernetes dashboard?
- Enabling SSL on kubernates in GCE
- How to use https to call the kubernetes api server
- Kubernetes authentication with certificate
- connect to shell terminal of other container in a pod
- How prevent user from creating a pod with a specific label?
- Kubernetes Secret is not stored in encoded format in environment variables
- With Helm 3 and K8s cluster w/RBAC (X509 certs), what permissions does Helm need? I think it creates ConfigMaps for release info?
- Access spring security through kubernetes ingress
- Problems with simple RBAC example
- Can we provide a User Name that needs to be run as by a pod/containers in kubernetes?
- Kubernetes service account default permissions
- If I update a secret, does it automatically gets updated to all resources in which it is volume mounted?
- How to encrypt actual storage/volume used by containers in Kubernetes environment?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
The only thing that comes to my mind as suggested already in the comment is hashicorp vault.
Some of the features that you might to check out:
You can access all of its features programatically due to HTTP API. In addition, there are several officially supported libraries for programming languages (Go and Ruby). These libraries make the interaction with the Vault’s API even more convenient. There is also a command-line interface available.
Vault is capable of encrypting/decrypting data without storing it. The main implication from this is if an intrusion occurs, the hacker will not have access to real secrets even if the attack is successful.
Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up. This means that the secret does not exist until it is read.
Vault supports authentication using tokens, which is convenient and secure.
Vault can also be customized and connected to various plugins to extend its functionality. This all can be controlled from web graphical interface.