HashiCorp Vault Kubernetes KMS Plugin Enters Public Beta for etcd Encryption
HashiCorp launched a public beta of its Vault Kubernetes KMS plugin on July 10, 2026, enabling Kubernetes API servers to delegate etcd envelope encryption to Vault Enterprise. The tool, named vault-kube-kms, implements the Kubernetes KMS v2 interface and uses Vault's transit secrets engine to manage key encryption keys while Kubernetes continues generating data encryption keys. The integration consolidates etcd key management into the same Vault policy engine and audit trail already used for other pipeline credentials, reducing the risk of rotation being overlooked. Deployment requires changes to the EncryptionConfiguration file and the kube-apiserver manifest, with no alterations to the existing Kubernetes API server contract. Operators should note that a Vault outage during a control plane restart can cause a full control plane outage, and existing etcd records must be manually rewritten to apply the new encryption provider.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in