Loading…
Back To Schedule
Tuesday, November 19 • 11:50am - 12:25pm
Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.
Secrets are a key pillar of K8S security, and K8S 1.10+ enhanced the protection of secrets at-rest in the etcd, with support for an external KMS (via KMS plug-ins), and supporting envelope encryption. However, the secret encryption keys (DEKs/KEK) are in the clear in memory of the K8S Master in the KMS plug-ins (during execution). An attacker with privilege access to k8S master node/host, can read the keys from memory, access secrets, compromising data & k8s cluster. This session proposes a solution (with a quick demo) to add a new KMS plug-in that leverages hardware based TEE (Trusted execution environment – like Intel SGX) to ensure that the keys, and the encryption of the secrets, are protected by the CPU on the master, addressing the threat vector mentioned. It enumerates multiple options for the integration with KMS, articulating the the trade-offs of the approaches.
Speakers
RY

Raghu Yeluri

Sr. Principal Engineer, Intel
Raghu Yeluri is a Sr. Principal Engineer and lead Security Architect in the Data Center Group at Intel Corporation with focus on container, virtualization and cloud security. In this role, he drives security solution architecture and development to deliver hardware-assisted security... Read More →
HX

Haidong Xia

Sr. Solutions Architect, Intel
Haidong is a Sr. security solution architect in Data Center Group at Intel Corporation. He is also a seasoned developer working on Kubernetes/container security, OpenStack integration of h/w security features and controls, and micro-service/cloud native architecture development. He... Read More →

TEE based KMS plugin for encryption of kubernetes secrets pdf
Tuesday November 19, 2019 11:50am - 12:25pm PST
Room 6E - San Diego Convention Center Upper Level
  Customizing + Extending Kubernetes