Frequently Asked Questions

Product Information & Kubernetes Integration

How does Akeyless secure Kubernetes Secrets?

Akeyless secures Kubernetes Secrets by acting as an external Key Management System (KMS) using envelope encryption. When a Kubernetes Secret is created, the Kubernetes API server generates a Data Encryption Key (DEK) to encrypt the secret. The Akeyless K8s External KMS plugin sends this DEK to the Akeyless Vaultless® Platform, where it is encrypted with a Key Encryption Key (KEK) managed by Akeyless and protected by Distributed Fragments Cryptography (DFC™). The encrypted DEK is then stored in etcd, ensuring that plaintext keys are never stored on disk. This process ensures that only authorized entities can access and decrypt secrets, providing an extra layer of security beyond Kubernetes's native capabilities. Source

What is envelope encryption and how does Akeyless use it for Kubernetes Secrets?

Envelope encryption is a method where your data is encrypted with a Data Encryption Key (DEK), and then the DEK itself is encrypted with a Key Encryption Key (KEK). In the context of Kubernetes, Akeyless uses envelope encryption by encrypting the DEK with a KEK managed in the Akeyless Vaultless® Platform. This KEK is protected by Akeyless’s patented Distributed Fragments Cryptography (DFC™), ensuring that no entity outside your organization, including Akeyless, has full access to the encryption key. This layered approach significantly enhances the security of Kubernetes Secrets. Source

How does the Akeyless K8s External KMS plugin work?

The Akeyless K8s External KMS plugin runs as a static pod or standalone Docker container on each master node in your Kubernetes cluster. It listens for requests from the Kubernetes API server to encrypt or decrypt secrets. When a secret is created, the plugin sends the DEK to Akeyless for encryption. When a secret is requested, the plugin sends the encrypted DEK to Akeyless for decryption, ensuring only authorized access. Technical Documentation

What are the main benefits of using Akeyless for Kubernetes Secrets management?

Key benefits include:

Source

Features & Capabilities

What features does Akeyless offer for secrets management?

Akeyless provides a comprehensive suite of features for secrets management, including:

Source

Does Akeyless support API access and integration?

Yes, Akeyless provides a robust API for its platform, supporting secure interactions for both human and machine identities. API Keys are available for authentication. Comprehensive API documentation can be found at Akeyless API Documentation.

What technical documentation is available for Akeyless?

Akeyless offers extensive technical documentation, including:

These resources provide in-depth guides and step-by-step instructions for implementation. Source

Security & Compliance

What security and compliance certifications does Akeyless hold?

Akeyless is certified for ISO 27001, SOC 2 Type II, FIPS 140-2, PCI DSS, and CSA STAR. These certifications demonstrate Akeyless’s commitment to robust security and regulatory compliance, making it suitable for regulated industries such as finance, healthcare, and critical infrastructure. Trust Center

How does Akeyless ensure data protection and encryption?

Akeyless uses patented Distributed Fragments Cryptography (DFC™) to secure data in transit and at rest. This technology ensures that no single entity, including Akeyless, has full access to encryption keys. The platform also enforces Zero Trust Access, granular permissions, and Just-in-Time access, minimizing standing privileges and reducing access risks. Source

Does Akeyless provide audit and reporting tools?

Yes, Akeyless provides comprehensive audit and reporting tools that track every secret and access event. This ensures audit readiness and compliance with regulatory requirements. Source

Use Cases & Benefits

Who can benefit from using Akeyless?

Akeyless is designed for IT security professionals, DevOps engineers, compliance officers, and platform engineers across industries such as technology, finance, retail, manufacturing, and cloud infrastructure. Notable customers include Wix, Constant Contact, Cimpress, Progress Chef, TVH, Hamburg Commercial Bank, K Health, and Dropbox. Source

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance and provisioning time), scalability for multi-cloud and hybrid environments, improved compliance, and increased employee productivity. Progress Case Study

Can you share specific case studies or customer success stories?

Yes, Akeyless has several case studies and success stories:

What feedback have customers given about the ease of use of Akeyless?

Customers have praised Akeyless for its user-friendly design and seamless integration. For example, Conor Mancone (Cimpress) noted, "We set Akeyless up 9 months ago and we haven’t had to worry about credential rotation or leakage. All of our software just works — it’s been a really smooth, really easy process." Shai Ganny (Wix) said, "The simplicity of Akeyless has enhanced our operations and given us the confidence to move forward securely." Cimpress Case Study, Wix Testimonial

Implementation & Support

How long does it take to implement Akeyless and how easy is it to start?

Akeyless can be deployed in just a few days due to its SaaS-native architecture, requiring no infrastructure management. For specific use cases like deploying the Akeyless Vault platform in OpenShift, setup can be completed in less than 2.5 minutes. Getting started is simple, with self-guided product tours, platform demos, tutorials, and 24/7 support available. Source

What training and technical support is available to help customers get started?

Akeyless offers a self-guided product tour, platform demos, step-by-step tutorials, and comprehensive technical documentation. 24/7 support is available via ticket submission, email, and Slack channel. Proactive assistance is provided for upgrades and troubleshooting. Product Tour, Support

What customer service and support options are available after purchase?

Akeyless provides 24/7 customer support via ticket submission, email, and Slack. The support team offers proactive assistance with upgrades and troubleshooting. Technical documentation and tutorials are available for self-service, and an escalation procedure is in place for urgent issues. Support

How does Akeyless handle maintenance, upgrades, and troubleshooting?

Akeyless offers round-the-clock support for maintenance, upgrades, and troubleshooting. The support team proactively assists with upgrades to ensure the platform remains secure and up-to-date. Extensive technical documentation and tutorials are available to help customers resolve issues independently. Resources

Competition & Comparison

How does Akeyless compare to HashiCorp Vault?

Akeyless offers a vaultless architecture, eliminating the need for heavy infrastructure and reducing costs and complexity. It provides SaaS-based deployment for faster scalability and easier management, advanced security features like Zero Trust Access and automated credential rotation, and solves the Secret Zero Problem with Universal Identity. HashiCorp Vault is self-hosted and requires more operational overhead. Learn more

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers out-of-the-box integrations with tools like Jenkins, Kubernetes, and Terraform, and provides cost efficiency with a pay-as-you-go model. AWS Secrets Manager is limited to AWS environments. Akeyless also offers advanced features like Universal Identity and Zero Trust Access. Learn more

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. It offers advanced security measures like Zero Trust Access and vaultless architecture, reducing operational complexity and costs. CyberArk Conjur focuses on privileged access management and secrets management but typically requires more infrastructure. Learn more

Industries & Customer Proof

Which industries use Akeyless?

Akeyless is used across technology, cloud storage, web development, printing and mass customization, finance, retail, manufacturing, and cloud infrastructure. Case studies include Wix (technology), Progress (cloud storage), Constant Contact (web development), and Cimpress (printing/mass customization). Case Studies

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Skip to content

Live Demo Mar 19 | Akeyless Multi Vault Governance for HashiCorp Vault and Cloud Secrets Managers →

Back
  1. Home
  2. Resources
  3. Blog
  4. Extra Security for Kubernetes Secrets with Akeyless

Extra Security for Kubernetes Secrets with Akeyless

June 15, 2022
Posted by Miryam Brand

Kubernetes is a popular open source tool for automating application development. While Kubernetes includes a basic solution for keeping secrets (passwords, tokens, or keys), most organizations need an extra layer of management and security to streamline development and protect against leaks. 

Let’s take a deeper look at what Kubernetes provides and how you can easily secure your Kubernetes secrets while keeping your development team agile.

How Kubernetes Manages Secrets

Just about every application deployed through Kubernetes needs privileged access to services and resources such as Pods and PersistentVolumes (PVs). Kubernetes Secrets are the native Kubernetes solution for storing digital authentication credentials so that you don’t have to hard code them in your applications.

By default, Kubernetes Secrets are stored as base-64 encoded strings in the Kubernetes API server’s underlying data store (etcd). Although the secrets are encoded, they are not encrypted, and can easily be decoded. In practice, anyone with access to your etcd cluster has access to your Kubernetes Secrets. In addition, etcd does not provide many of the administrative tools critical for managing sensitive data, such as audit logs and key rotation.

If you were setting up a new environment, you could overcome this vulnerability by not using Kubernetes Secrets at all, and instead of managing your secrets with another, more secure secrets management solution. This type of radical shift is impractical for existing environments because of just how extensively Kubernetes Secrets are used.

The challenge is to find an alternative solution that, on the one hand, enables your applications to continue consuming Kubernetes Secrets from the etcd database, while on the other hand, ensures that the secrets are securely encrypted. 

Essentially, you need to find an external Key Management System (KMS) for your Kubernetes Secrets. A KMS creates, manages, and stores encryption keys as a centralized service for clients dealing with sensitive data that must be protected. 

Using Akeyless as an external KMS for Kubernetes does exactly this, by applying an encryption mechanism called envelope encryption.

Envelope Encryption Explained

Envelope encryption is a method that encrypts your data with a data encryption key (DEK), and then encrypts that data encryption key with another key – a Key Encryption Key. This extra layer of encryption is also referred to as wrapping, hence the envelope analogy. 

Kubernetes uses a DEK to encrypt the secret. To protect this key while it’s stored, Akeyless uses another encryption key – the KEK – to encrypt the DEK. This KEK is defined and managed in the Akeyless Vaultless® Platform, protected by Akeyless’s patented Distributed Fragments Cryptography (DFC™) technology, so that no entity outside of your organization – even Akeyless – has full access to the encryption key.

So How Does Akeyless Work as an External KMS?

Akeyless provides a plugin that enables it to function as an external KMS for Kubernetes. The Akeyless K8s External KMS plugin runs as a static pod or as a standalone docker container on each of the master nodes in your Kubernetes cluster, where it listens for requests from the Kubernetes API server.

Encrypting Kubernetes Secrets with Akeyless

When you create a new Kubernetes Secret to store credentials, the Kubernetes API server generates a unique DEK, and uses it to encrypt the secret. At the same time, the Akeyless K8s External KMS plugin running on your Kubernetes cluster sends the DEK to the Akeyless Vaultless® Platform for encryption.

Akeyless encrypts the DEK using a dedicated KEK, and returns the encrypted DEK to the Akeyless K8s External KMS plugin. The plugin returns the encrypted DEK to the Kubernetes API server, which stores it in etcd together with the secret it encrypts. Note that the plaintext DEK is never stored on the disk.

Decrypting Kubernetes Secrets Encrypted by Akeyless

When an application requests a secret, the Kubernetes API server sends the encrypted DEK to Akeyless for decryption. Akeyless first authenticates the Kubernetes API server to verify that it is authorized to access the decrypted DEK. If so, Akeyless then uses the KEK to decrypt the DEK, and returns the value to the Kubernetes API server. The Kubernetes API server uses the plaintext of the DEK to decrypt the Kubernetes secret stored in etcd, and returns the decrypted secret to the application.

Scale, Simplify and Secure K8s Secrets with Akeyless

By using Akeyless Secrets Management, Kubernetes environments can simplify and scale their processes, no matter where they run. The Zero Knowledge platform ensures Akeyless customers maintain full custody of their keys. Additional benefits of our secrets management solution include:

  • The Highest Levels of Encryption: Your keys are encrypted using Akeyless’ innovative Distributed Fragments Cryptography™, which is FIPS 140-2 certified.
  • Granular Authentication and Authorization: The platform’s role-based access functionality ensures that only authenticated and authorized users can encrypt or decrypt the KEK.
  • Comprehensive Auditing: For added peace of mind, every action within the system is tracked in the audit logs, giving you a detailed record of who is accessing your KEK, when, and from where.

Never Miss an Update

The latest news and insights about Secrets Management,
Akeyless, and the community we serve.

 

Ready to get started?

Discover how Akeyless simplifies secrets management, reduces sprawl, minimizes risk, and saves time.

Book a Demo
Subscribe to Newsletter
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_EasiestToUse_Enterprise_EaseOfUse
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Nps