Host-based encryption on Azure Kubernetes Service (AKS)

With host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks.

By default, when using AKS, OS and data disks use server-side encryption with platform-managed keys. The caches for these disks are encrypted at rest with platform-managed keys. You can specify your own managed keys following Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service. The caches for these disks are also encrypted using the key you specify.

Host-based encryption is different than server-side encryption (SSE), which is used by Azure Storage. Azure-managed disks use Azure Storage to automatically encrypt data at rest when saving data. Host-based encryption uses the host of the VM to handle encryption before the data flows through Azure Storage.

Before you begin

Before you begin, review the following prerequisites and limitations.

Prerequisites

  • Ensure you have the CLI extension v2.23 or higher installed.

Limitations

  • This feature can only be set at cluster or node pool creation time.
  • This feature can only be enabled in Azure regions that support server-side encryption of Azure managed disks and only with specific supported VM sizes.
  • This feature requires an AKS cluster and node pool based on Virtual Machine Scale Sets as VM set type.

Use host-based encryption on new clusters

  • Create a new cluster and configure the cluster agent nodes to use host-based encryption using the az aks create command with the --enable-encryption-at-host flag.

    az aks create \
        --name myAKSCluster \
        --resource-group myResourceGroup \
        --storage-pool-sku Standard_DS2_v2 \
        --location westus2 \
        --enable-encryption-at-host \
        --generate-ssh-keys
    

Use host-based encryption on existing clusters

  • Enable host-based encryption on an existing cluster by adding a new node pool using the az aks nodepool add command with the --enable-encryption-at-host flag.

    az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 --enable-encryption-at-host
    

Next steps