Google Distributed Cloud version 1.10 supports encrypting secrets without the need for an external KMS (Key Management Service), or any other dependencies.
Enable always-on secrets encryption
Always-on secrets encryption works by automatically generating an encryption key that is used to encrypt secrets before they are stored on the etcd database for that cluster.
The key version is a version number to indicate the key currently in use.
You can enable secrets encryption after a cluster has already been created.
ADMIN_KUBECONFIGwith the path of your admin cluster kubeconfig file.
ADMIN_CLUSTER_CONFIGwith the path of your admin cluster configuration file.
USER_CLUSTER_CONFIGwith the path of your user cluster configuration file.
Thegkectl updatecommands provided in this section can also be used for any other updates to the corresponding cluster.
Key storage
The encryption keys for the admin cluster are stored on the admin cluster data disk. This disk is mounted on the admin master machine at/opt/data, and the encryption keys can be found at/opt/data/gke-k8s-kms-plugin/generatedkeys/. These keys must be backed up to retain access to the encrypted secrets used by that key.
Key rotation
To rotate an existing encryption key for a cluster, increment thekeyVersionin the correspondingadmin cluster configuration fileoruser cluster configuration file, and run the appropriategkectl updatecommand. This creates a new key matching the new version number, re-encrypts each secret, and securely erases the old one. All subsequent new secrets are encrypted using the new encryption key.
Disable always-on secrets encryption
To disable secrets encryption on an existing cluster, remove thekeyVersionfield and add adisabled: truefield. Next, run the correspondinggkectl updatecommand. This update decrypts each existing secret and stores each secret in plain text. All subsequent new secrets are stored in plain text.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Distributed Cloud version 1.10 allows for built-in secrets encryption, eliminating the need for external Key Management Services.\u003c/p\u003e\n"],["\u003cp\u003eSecrets encryption is enabled by generating an encryption key that automatically encrypts secrets before they are stored in the etcd database.\u003c/p\u003e\n"],["\u003cp\u003eYou can enable or disable secrets encryption on both admin and user clusters after they've been created by updating the respective cluster configuration file and running the \u003ccode\u003egkectl update\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eKey rotation is achieved by incrementing the \u003ccode\u003ekeyVersion\u003c/code\u003e in the configuration file and updating the cluster, which generates a new key, re-encrypts secrets, and erases the old key.\u003c/p\u003e\n"],["\u003cp\u003eEncryption keys are stored on the admin cluster data disk and should be backed up to maintain access to encrypted secrets.\u003c/p\u003e\n"]]],[],null,["# Using always-on secrets encryption\n\n\u003cbr /\u003e\n\nGoogle Distributed Cloud version 1.10 supports encrypting secrets without the need for an external KMS (Key Management Service), or any other dependencies.\n\nEnable always-on secrets encryption\n-----------------------------------\n\nAlways-on secrets encryption works by automatically generating an encryption key that is used to encrypt secrets before they are stored on the etcd database for that cluster.\n\nThe key version is a version number to indicate the key currently in use.\n\nYou can enable secrets encryption after a cluster has already been created.\n\n- For the admin cluster:\n\n 1. Edit the [admin cluster configuration file](/anthos/clusters/docs/on-prem/1.10/how-to/admin-cluster-configuration-file#secretsencryption-section) to add the `secretsEncryption` section.\n\n 2. Run the `gkectl update` command.\n\n ```\n gkectl update admin --config ADMIN_CLUSTER_CONFIG_FILE --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n- For a user cluster:\n\n 1. Edit the [user cluster configuration file](/anthos/clusters/docs/on-prem/1.10/how-to/user-cluster-configuration-file#secretsencryption-section) to add the `secretsEncryption` section.\n\n 2. Run the `gkectl update` command.\n\n ```\n gkectl update cluster --config USER_CONFIG_FILE --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\nReplace the following:\n\n- `ADMIN_KUBECONFIG` with the path of your admin cluster kubeconfig file.\n- `ADMIN_CLUSTER_CONFIG` with the path of your admin cluster configuration file.\n- `USER_CLUSTER_CONFIG` with the path of your user cluster configuration file.\n\nThe `gkectl update` commands provided in this section can also be used for any other updates to the corresponding cluster.\n\nKey storage\n-----------\n\nThe encryption keys for the admin cluster are stored on the admin cluster data disk. This disk is mounted on the admin master machine at `/opt/data`, and the encryption keys can be found at `/opt/data/gke-k8s-kms-plugin/generatedkeys/`. These keys must be backed up to retain access to the encrypted secrets used by that key.\n\nKey rotation\n------------\n\nTo rotate an existing encryption key for a cluster, increment the `keyVersion` in the corresponding [admin cluster configuration file](/anthos/clusters/docs/on-prem/1.10/how-to/admin-cluster-configuration-file#secretsencryption-generatedkey-version-field) or [user cluster configuration file](/anthos/clusters/docs/on-prem/1.10/how-to/user-cluster-configuration-file#secretsencryption-generatedkey-version-field), and run the appropriate `gkectl update` command. This creates a new key matching the new version number, re-encrypts each secret, and securely erases the old one. All subsequent new secrets are encrypted using the new encryption key.\n\nDisable always-on secrets encryption\n------------------------------------\n\nTo disable secrets encryption on an existing cluster, remove the `keyVersion` field and add a `disabled: true` field. Next, run the corresponding `gkectl update` command. This update decrypts each existing secret and stores each secret in plain text. All subsequent new secrets are stored in plain text.\n\n```\nsecretsEncryption:\n mode: GeneratedKey\n generatedKey:\n disabled: true\n```"]]
