Kubernetes has become the standard platform for running modern applications, but securing sensitive data inside Kubernetes remains a persistent challenge.
Applications depend on secrets to function. Kubernetes stores that data in etcd, and historically, Kubernetes Secrets have often been discussed as “just base64 encoded.” While Kubernetes supports encryption at rest, the real question is deeper.
Today, we are announcing the public beta of Vault Kubernetes key management, a new capability that lets Kubernetes clusters use HashiCorp Vault Enterprise as a KMS provider for encryption at rest.
Vault Kubernetes key management provides a Kubernetes KMS v2-compatible plugin, vault-kube-kms, that allows the Kubernetes API server to use Vault for envelope encryption. This enables organizations to protect Kubernetes Secrets and other API resources stored in etcd with Vault-backed encryption while centralizing key management, policy enforcement, auditing, and key rotation.
»The Kubernetes key management problem
Encrypting secrets is only part of the security equation. Encryption is only as strong as the keys behind it. For Kubernetes platform teams, this raises several important questions:
Where are key encryption keys stored?
Who has access to them?
How are they rotated?
How is key usage audited?
What happens when secrets need to remain protected across cluster lifecycle events?
If the same environment that stores sensitive data also controls the keys used to protect that data, the trust boundary remains too narrow.
This is especially important in zero trust architectures, where no platform, workload, user, or administrator should be implicitly trusted. Zero trust requires strong identity, least privilege, continuous verification, and independent protection of cryptographic trust anchors.
That is where Vault Kubernetes key management comes in.
»How Vault Kubernetes key management works
Vault Kubernetes key management allows Kubernetes to use Vault Enterprise for encryption at rest while preserving the performance characteristics expected by the Kubernetes API server.
The Kubernetes API server uses a data encryption key (DEK) seed to generate the data encryption keys used to encrypt and decrypt sensitive cluster data before it is written to etcd.
The DEK is responsible for encrypting the actual Kubernetes resources that require protection, such as secrets and other sensitive API objects.
However, the security of those DEKs ultimately depends on protecting the higher-level keys used to secure them. This is where Vault Kubernetes key management comes into play. Rather than storing and protecting key encryption keys entirely within the cluster, the Kubernetes API server communicates with the vault-kube-kms process through a Kubernetes KMS v2-compatible interface. The plugin forwards cryptographic operations to Vault, where the transit secrets engine manages the key encryption keys used to protect the DEK seed.
In this model:
Kubernetes generates and uses DEKs to encrypt sensitive resource data
The DEK seed is protected using key encryption keys (KEKs) managed by Vault
Vault performs cryptographic operations using those KEKs through the transit secrets engine
Encrypted Kubernetes data is stored in etcd, along with the encrypted DEK
This creates a layered encryption model:

Vault kubernetes key management encryption
This approach follows a common envelope encryption pattern. Instead of exposing sensitive root cryptographic material to the Kubernetes control plane, Vault becomes the centralized authority responsible for protecting the keys that ultimately secure Kubernetes data.
The result is a clear separation of responsibilities:

This approach follows a common envelope encryption pattern. Instead of exposing sensitive root cryptographic material to the Kubernetes control plane, Vault becomes the centralized authority responsible for protecting the keys that ultimately secure Kubernetes data.
The result is a clear separation of responsibilities:
Kubernetes handles high-volume encryption and decryption operations using DEKs.
Vault manages and protects the higher-order cryptographic keys. Without Vault, accessible and properly configured for access permissions, encrypted data in etcd cannot be decrypted
Security teams gain centralized control, auditing, and lifecycle management for key material through Vault Enterprise.
By separating data encryption from key management, organizations can strengthen the protection of sensitive data while maintaining the scalability and performance required for large Kubernetes environments.
»Common deployment scenarios
Vault Kubernetes key management is well-suited for organizations that want to strengthen Kubernetes encryption at rest while centralizing control of cryptographic keys. Common deployment scenarios include:
Enterprise Kubernetes platforms like Red Hat OpenShift, where platform teams want consistent encryption policies across cloud and on-premises deployments.

Production Kubernetes platforms that require centralized key management across multiple clusters.
Regulated environments where auditing, key rotation, and separation of duties are required for compliance.
Zero trust initiatives that require cryptographic trust anchors to remain independent from the workloads they protect.
»Building stronger zero trust
Zero trust is often discussed in terms of users, devices, and network access. But in Kubernetes environments, machine identities and platform services often outnumber human users. Applications, services, containers, CI/CD systems, infrastructure automation, and AI-driven workflows all need access to sensitive data. That makes Kubernetes key management foundational to cloud-native security.
Vault Kubernetes key management helps align Kubernetes encryption at rest with zero trust principles in several ways:
Centralized key management
Separation of trust domains
Auditing and operational visibility
Key rotation
No application code changes
»Securing cloud native infrastructure
The importance of key management is growing rapidly as platform and DevOps teams automate more of their infrastructure and security operations. Vault Kubernetes key management is designed for organizations that want stronger control over Kubernetes encryption at rest. It is especially relevant for teams that need to:
Protect Kubernetes Secrets stored in etcd
Align Kubernetes security with zero trust practices
Reduce reliance on cluster-local key encryption keys
Additionally, modern environments are increasingly populated by non-human identities:
Applications
Services
Containers
CI/CD pipelines
Infrastructure automation tools
AI agents
The rise of AI-driven systems further accelerates this trend. Autonomous workflows require continuous access to sensitive resources, APIs, and infrastructure. These systems must authenticate, retrieve secrets, and establish trust without human intervention.
This places even greater emphasis on strong key management practices and independently protected roots of trust.
The future of zero trust will not be defined solely by how organizations authenticate users. It will increasingly be defined by how they secure machine-driven interactions at scale.
»Looking ahead
As Kubernetes continues to serve as the foundation for modern applications, securing the cryptographic roots of trust becomes increasingly important. Encryption at rest is no longer just about protecting stored data — it is about ensuring that the keys protecting that data are managed independently, governed consistently, and integrated into a broader security strategy.
Vault Kubernetes key management extends Vault's role as the trusted foundation for secrets, identity, and cryptographic operations into the Kubernetes control plane, giving organizations a centralized approach to protecting sensitive cluster data while aligning with zero trust principles.
»What's next
The public beta is the first step toward bringing centralized key management to Kubernetes encryption at scale. We invite platform engineers and security teams to explore the capability, evaluate how it fits within their Kubernetes environments, and share feedback as we continue to evolve the experience.
Whether your goal is strengthening Kubernetes security, simplifying key lifecycle management, or building a stronger foundation for cloud native zero trust, Vault Kubernetes key management provides a new way to separate trust from the platform itself.
»Public beta availability
Vault Kubernetes key management is available today in public beta for Vault Enterprise. It can be deployed in Kubernetes environments where administrators can modify the Kubernetes EncryptionConfig and kube-apiserver manifest. Visit our documentation to get started.







