How to enable etcd encryption in VMware Enterprise PKS
search cancel

How to enable etcd encryption in VMware Enterprise PKS


Article ID: 345556


Updated On:




  • You would like to enable the etcd encryption for the K8S clusters deployed by VMware Enterprise PKS.

  • You do not see an option in the PKS tile or to any of the pks commands to modify the kube-apiserver to enable the etcd encryption.


VMware PKS 1.x


To enable etcd encryption, the kube-apiserver must start with a specific switch. The kube-apiserver process accepts the --encryption-provider-config argument that controls how API data is encrypted in etcd. 

This option can be added to the kube-apiserver config file for Enterprise PKS at /var/vcap/jobs/kube-apiserver/config/bpm.yml but is not persistent. If the VM is recreated or if a cluster upgrade is performed, any manual modifications made will be overwritten with the stemcell release configuration.


This is an expected behavior in VMware Enterprise PKS. Currently, we do not have any workaround.

Additional Information

To be alerted when this article is updated, click the subscribe button [cid:[email protected]] . For more information on KB subscription features, see the Knowledge Base Article FAQs: How to Subscribe to VMware Knowledge Base Articles (76417).

By default, etcd data is not encrypted and can be viewed if a user has access to the etcd servers or if the user has access to the pod which has the secret mounted to it.