Skip to main content

Generally available: Key management system integration with AKS

Published date: August 17, 2022

AKS now supports key management system (KMS) plugin integration. This generally available capability enables encryption at rest of your Kubernetes data in etcd using Azure Key Vault. This means you can now store secrets in bring your own key (BYOK) encrypted etcd using KMS.

From the Kubernetes documentation on Encrypting Secret Data at Rest:

KMS plugin for Key Vault is the recommended choice for using a third-party tool for key management. KMS plugin simplifies key rotation, with a new data encryption key (DEK) generated for each encryption, and key encryption key (KEK) rotation controlled by the user.


  • Use a key in Key Vault for etcd encryption
  • Bring your own keys
  • Provide encryption at rest for secrets stored in etcd

Learn more.

  • Azure Kubernetes Service (AKS)
  • Features
  • Security