secretbox: {} KMS Kubernetes secrets: 1.10 KMS plugins ● Encrypt secrets with a locally managed key, which is then encrypted with a centrally managed key ● EncryptionConfig uses aescbc with a KMS provider provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK Key encryption key {SECRET}DEK Secret is ation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Generates a DEK Master kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer

encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted storage in etcd • Secrets decrypted on API Server prior to use • Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance TEE-based KMS Plugin [1] • Address performance & latency concerns • Reduce / minimize remote KMS interactions w/o compromising security • Address security threats • etcd compromise • Host (KMS plugin)

encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 268 URL parameter Description acl Canned ACL of the uploaded and aws: �→ kms �→ . 272 Command- line parameter Description --s3.sse- �→ kms-key �→ -id If --s3. �→ sse is con- figured as aws: �→ kms �→ , this param- eter is used to specify the KMS ID. --s3.acl encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 966 URL parameter Description acl Canned ACL of the uploaded

encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 252 URL parameter Description acl Canned ACL of the uploaded and aws: �→ kms �→ . 256 Command- line parameter Description --s3.sse- �→ kms-key �→ -id If --s3. �→ sse is con- figured as aws: �→ kms �→ , this param- eter is used to specify the KMS ID. --s3.acl encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 935 URL parameter Description acl Canned ACL of the uploaded

encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 240 URL parameter Description acl Canned ACL of the uploaded and aws: �→ kms �→ . 244 Command- line parameter Description --s3.sse- �→ kms-key �→ -id If --s3. �→ sse is con- figured as aws: �→ kms �→ , this param- eter is used to specify the KMS ID. --s3.acl encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID 903 URL parameter Description acl Canned ACL of the uploaded

[--description ] [--timeout ] [--memory- size ] [--environment ] [-- kms-key-arn ] [--tags ] [-- zip-file ] [--cli-input-json ] list-functions [--vpc-config ] [--environment ] [--runtime ] [--dead- letter-config ] [--kms-key-arn ] [--tracing-config ] [--revision-id ] [--cli-input-json ] [--description ] [--timeout ] [--memory-size ] [--environment ] [--kms-key-arn ] [--tags ] [--zip-file ] [--cli-input-json ]

encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID acl Canned ACL of the uploaded objects (for example, private, authenticated options are empty, AES256 and aws: �→ kms. --s3.sse- �→ kms-key �→ -id If --s3. �→ sse is con- figured as aws: �→ kms, this pa- rameter is used to specify the KMS ID. 354 Command- line parameter Description encryption algorithm used to encrypt the upload (empty, AES256 or aws:kms) sse-kms- �→ key-id If sse is set to aws:kms, specifies the KMS ID acl Canned ACL of the uploaded objects (for example, private, authenticated

· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 6725 17.8.1 Key Management Service (KMS)· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 6725 17.8.2 Key-Value (KV) · · · master key stored on a local disk • Encrypt using a master key managed by a Key Management Service (KMS) For more information, see documentation. 49 • BR requires fewer privileges when restoring backup be a master key stored on a local disk or a master key managed by a cloud Key Manage- ment Service (KMS). 82 Configuration file or compo- nent Configuration parame- ter Change type Description BR --

master key stored on a local disk • Encrypt using a master key managed by a Key Management Service (KMS) For more information, see documentation. 44 • BR requires fewer privileges when restoring backup be a master key stored on a local disk or a master key managed by a cloud Key Manage- ment Service (KMS). 77 Configuration file or compo- nent Configuration parame- ter Change type Description BR -- issue that prevents master key rotation when the master key is stored in a Key Management Service (KMS) #17410 @hhwyt • Fix a traffic control issue that might occur after deleting large tables or partitions

(Only one line, with space between both) sudo docker run -d --name kms -p 8888:8888 --mount type=bind,source=/opt/om_data,target=/opt/om_data kurento/kurento-media-server data server sudo systemctl start docker.service ….Docker sudo docker start kms ...Kurento Media Server sudo /etc/init.d/tomcat34 start