Add New Secrets Encryption (#130)

* Update secrets encryption documentation with se v3 Signed-off-by: Derek Nola <[email protected]>
rancher · Nov 27, 2023 · 7051562 · 7051562
1 parent 13f703f
commit 7051562
Showing 1 changed file with 69 additions and 3 deletions.
diff --git a/docs/security/secrets_encryption.md b/docs/security/secrets_encryption.md
@@ -58,7 +58,70 @@ RKE2 contains a subcommand `secrets-encrypt`, which allows administrators to per
 Failure to follow proper procedure when rotating secrets encryption keys can cause permanent data loss. [Creating a snapshot](../backup_restore.md) before rotating is recommended. Proceed with caution.
 :::
 
-### Single-Server Encryption Key Rotation
+### New Encryption Key Rotation
+
+:::warning Expiremental Version Gate
+Available as of [v1.28.1+rke2r1](https://github.com/rancher/rke2/releases/tag/v1.28.1%2Brke2r1). This new version of the tool utilizes K8s [automatic config reloading](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#configure-automatic-reloading) which is currently in beta. GA is expected in v1.29.0
+
+For older releases, see [Encryption Key Rotation Classic](#encryption-key-rotation-classic)
+:::
+
+<Tabs groupId="se">
+<TabItem value="Single-Server" default>
+
+To rotate secrets encryption keys on a single-server cluster:
+
+1. Rotate secrets encryption keys
+    ```
+    rke2 secrets-encrypt rotate-keys
+    ```
+
+2. Wait for reencryption to finish. Watch the server logs, or wait for:
+    ```bash
+    $ rke2 secrets-encrypt status
+    Encryption Status: Enabled
+    Current Rotation Stage: reencrypt_finished
+    ```
+
+</TabItem>
+<TabItem value="High-Availability">
+
+To rotate secrets encryption keys on HA setups:
+
+:::note
+In this example, 3 servers are used to for a HA cluster, referred to as S1, S2, S3. It is recommended that you pick one server node from which to run the `secrets-encrypt` commands.
+:::
+
+1. Rotate secrets encryption keys on S1
+
+    ```bash
+    rke2 secrets-encrypt rotate-keys
+    ```
+
+2. Wait for reencryption to finish. Watch the server logs, or wait for:
+    ```bash
+    $ rke2 secrets-encrypt status
+    Encryption Status: Enabled
+    Current Rotation Stage: reencrypt_finished
+    ```
+    :::info
+    RKE2 will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs.
+    ::: 
+
+3. Sequentially Restart RKE2 on S1, S2, S3
+    ```
+    systemctl restart rke2-server.service
+    ```
+    Wait for the systemctl command to return before restarting the next server.
+
+
+</TabItem>
+</Tabs>
+
+### Encryption Key Rotation Classic
+
+<Tabs groupId="se">
+<TabItem value="Single-Server" default>
 
 To rotate secrets encryption keys on a single-node cluster:
 
@@ -90,9 +153,9 @@ To rotate secrets encryption keys on a single-node cluster:
     ```
     rke2 secrets-encrypt reencrypt
     ```
+</TabItem>
+<TabItem value="High-Availability">
 
-
-### Multi-Server Encryption Key Rotation
 To rotate secrets encryption keys on HA setups:
 
 :::note
@@ -128,6 +191,9 @@ In this example, 3 servers are used to for a HA cluster, referred to as S1, S2,
 
 6. Sequentially Restart S1, S2, S3
 
+</TabItem>
+</Tabs>
+
 ### Secrets Encryption Status
 The `secrets-encrypt status` subcommand displays information about the current status of secrets encryption on the node.