Store and Access your Secrets the Kubernetes native way with any external KMS

Trousseau Logo

An open-source project based on
Kubernetes KMS provider design

Trousseau is an open-source project, based on Kubernetes KMS provider design. It is designed to be a framework for any KMS provider (see release notes).

Why Trousseau?

Kubernetes platform users are all facing the very same question: how do we handle Secrets?

While there are significant efforts to improve Kubernetes component layers, the state of Secret Management isn't receiving much interest. Using etcd to store API object definition & states, Kubernetes secrets are encoded in Base64 and shipped into the key value store database. Even if the filesystems on which etcd runs are encrypted, the secrets are still not.

Instead of leveraging the native Kubernetes way to manage secrets, commercial and open source solutions solve this design flaw by leveraging different approaches all using different toolsets or practices. This leads to training and maintaining niche skills and tools increasing the cost and complexity of Kubernetes day 0, 1 and 2.

Once deployed, Trousseau will enable seamless secret management using the native Kubernetes API and kubectl CLI usage while leveraging an existing Key Management Service (KMS) provider.

How? By using the Kubernetes KMS provider framework to provide an envelope encryption scheme to encrypt secrets on the fly.

Trousseau software architecture

Trousseau is fully developed in Go addressing the Kubernetes KMS provider. Here is the quote from the Kubernetes project defining the overall process that trousseau is based on:

The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption.

The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. The KMS provider uses gRPC to communicate with a specific KMS plugin. The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s), is responsible for all communication with the remote KMS.

Trousseau Workflow Overview

  1. Create a secret 
  2. kube-api calls trousseau
  3. trousseau sends the encryption request to the KMS provider 
  4. The KMS provider returns the encrypted data to trousseau
  5. trousseau sends the encrypted data back to kube-api
  6. kube-api stores the encrypted resource in etcd
Ondat Diagram-no-text

Hands-on Lab:
Keep Your Secrets and Persistent Volumes Safe With Trousseau and Vault


Install Trousseau

Guidance to install and use Trousseau on the following platforms

Generic k8s with HashiCorp Vault

Trousseau KMS provider plugin for HashiCorp Vault

Rancher Kubernetes Engine v2 with Hashicorp Vault

Trousseau running on RKE2 with Hashicorp Vault

Rancher Kubernetes Engine with Hashicorp Vault

Trousseau running on RKE with Hashicorp Vault

About the name

The name trousseau comes from the French language and is usually associated with keys like in trousseau de clés meaning keyring. This project is maintained by Trousseau-io.