Untitled

Report: Application-Layer Secrets Encryption Disabled in Google Cloud Platform (GCP)

Observations:

In Google Kubernetes Engine (GKE), sensitive data such as Kubernetes Secrets are stored in etcd. By default, these secrets are base64-encoded, which does not provide adequate security against unauthorized access. Application-layer secrets encryption offers an additional layer of security by encrypting these secrets using keys managed through Cloud Key Management Service (KMS). When this feature is disabled, secrets remain unencrypted at the application layer, increasing the risk of data exposure if etcd is compromised. 

Impact:

Disabling application-layer secrets encryption can lead to several security vulnerabilities:

Unauthorized Access: Attackers gaining access to etcd can retrieve sensitive information stored as Kubernetes Secrets, potentially leading to unauthorized access to applications and services.

Data Breach: Unencrypted secrets can be exploited, resulting in data breaches that may harm an organization's reputation and lead to legal consequences.

Non-Compliance: Many regulatory standards require encryption of sensitive data. Without application-layer encryption, organizations may fail to meet compliance requirements, leading to potential fines and sanctions.


Remediation:

To mitigate these risks, it is recommended to enable application-layer secrets encryption in GKE:

1. Create a Customer-Managed Key (CMK): Use Cloud KMS to create a key ring and a cryptographic key that will be used for encryption. 


2. Grant Necessary Permissions: Ensure that the GKE service account has the cloudkms.cryptoKeyEncrypterDecrypter role on the created key to allow encryption and decryption operations.


3. Enable Encryption on the GKE Cluster:

Using Google Cloud Console:

Navigate to the GKE clusters page.

Select the desired cluster and go to the "Details" tab.

In the "Security" section, click "Edit" next to "Application-layer secrets encryption."

Check the box to enable encryption and select the previously created CMK.

Save the changes.


Using gcloud CLI:

Execute the following command:

gcloud container clusters update CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --database-encryption-key=projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
    --project=CLUSTER_PROJECT_ID

Replace the placeholders with appropriate values corresponding to your GCP setup.




4. Verify Encryption Status:

Using Google Cloud Console:

Navigate to the GKE clusters page.

Select the cluster and check the "Application-layer secrets encryption" status in the "Security" section.


Using gcloud CLI:

Run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --format='value(databaseEncryption)' \
    --project=CLUSTER_PROJECT_ID

Ensure that the output indicates that encryption is enabled.





References:

Google Cloud Documentation: Encrypt secrets at the application layer. 

Trend Micro Cloud One Conformity: Enable Encryption for Application-Layer Secrets for GKE Clusters. 

Sysdig: 24 Google Cloud Platform (GCP) security best practices. 


Implementing application-layer secrets encryption is a critical step in securing sensitive data within GKE clusters, ensuring compliance with security best practices and regulatory requirements.

For a visual guide on enabling application-layer secrets encryption in GKE, you may find the following video helpful: