i want to use Hashicorp vault to store encryption key for Kubernetes ETCD database.
Currently, Kubernetes provides KMS provider and i want to know whether Hashicorp Vault provides KMS Provider integration.
Vault Enterprise can be hooked to an HSM to secure unseal keys (and a few others, in the compliance letter). The great thing about it is that you get auto-unseal while keeping strong security. Shards still exist for root token generation.
Vault HSM integration is independent of the K8S KMS provider. If you have free slots in your HSM, you could use the same HSM for both systems… But I would consider leaving the HSM backed cryptography to Vault only.
HashiCorp Vault does not directly support the Kubernetes KMS provider interface. However there are several options that can make sense when wanting to use HashiCorp Vault to encrypt Kubernetes etcd.
-
The Trousseau OSS project implements the Kubernetes KMS v1 provider interface and has a HashiCorp Vault support to be one of the KMS providers.
-
Vault Enterprise has support for managing keys for other natively supported KMS solutions such as AWS KMS, Azure KeyVault, and GCP KMS via the Key Management Secrets Engine. AWS KMS can also be configured to use Vault Enterprise as an external key manager with AWS XKS.