[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Kubernetes](../index.md) > [Concepts](index.md) > Encryption

# Encryption in Managed Service for Kubernetes

Yandex Cloud adopts many [information security measures](../../security/standarts.md). They include multi-level encryption of Managed Service for Kubernetes data:

* Data is encrypted using system keys when it is placed in a Yandex Cloud storage. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers.
* Data is encrypted when transmitted over the network using the TLS protocol. The keys used for TLS are stored on hosts running the protocol. This ensures that the data is protected against interception.

The following cryptographic algorithms are used:
* Symmetric: AES, ChaCha.
* Asymmetric: RSA, Ed25519.

The minimum used key length is 128 bits for symmetric encryption algorithms, and 2048 bits for asymmetric encryption algorithms.

Yandex Cloud provides management for these keys.

## Encryption with custom symmetric keys {#kms-keys-encryption}

Managed Service for Kubernetes supports encryption with [custom Yandex Key Management Service symmetric keys](../../kms/concepts/key.md) for the following resources:
* [Kubernetes secrets](#k8s-secrets-encryption)
* [Disks for persistent volumes](volume.md#encrypted-disks)

Such keys are managed on the user side, which provides extra opportunities:

* Auditing [events](../../kms/at-ref.md) related to the key usage with [Yandex Audit Trails](../../audit-trails/index.md).
* Tracking operations with keys using [Yandex Monitoring](../../monitoring/index.md).
* [Operations with keys](../../kms/operations/index.md#symmetric-encryption), such as rotation, modification, deactivation, and deletion.
* Granular management of [access permissions to the key](../../kms/security/index.md) at the level of individual [Yandex Cloud accounts](../../iam/concepts/users/accounts.md).
* Using the [hardware security module (HSM)](../../kms/concepts/hsm.md) when needed.

    {% note info %}

    In Managed Service for Kubernetes, a Yandex Cloud service account is [called](index.md#service-accounts) a cloud service account to avoid confusion with a Kubernetes service account.

    {% endnote %}

### Encrypting Kubernetes secrets {#k8s-secrets-encryption}

A [_Kubernetes secret_](https://kubernetes.io/docs/concepts/configuration/secret/) is private information the Kubernetes clusters use when managing pods, e.g., OAuth keys, passwords, SSH keys, etc.

By default, cluster secrets are stored in an open format. If you specified an encryption key when [creating a Managed Service for Kubernetes cluster](../operations/kubernetes-cluster/kubernetes-cluster-create.md), the cluster secrets will be encrypted.

{% note warning %}

You can specify an encryption key only when creating a cluster.

If you need to use another key, create a new cluster with that key.

{% endnote %}

The encryption process of an individual secret runs as follows:

1. Kubernetes encrypts the secret using the [KMS provider](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).

1. During the encryption process, the KMS provider accesses the KMS plugin that enables using the encryption key you have specified when creating the cluster:

    This encryption key is not used to encrypt secrets directly. Instead, the [envelope encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-encryption-and-per-object-encryption-keys) algorithm involving the key is used.

    For a general description of the algorithm, see [Envelope encryption](../../kms/concepts/envelope.md).

1. During the encryption process, the KMS plugin works with [Yandex Key Management Service](../../kms/concepts/index.md) where the encryption key is stored.

    This plugin as well as the provider using it are already installed in the Managed Service for Kubernetes cluster and properly configured.

Secrets are decrypted in a similar way.

## Use cases {#examples}

* [Encrypting secrets in Managed Service for Kubernetes](../tutorials/kms-k8s.md)
* [Using encrypted disks for persistent volumes](../operations/volumes/encrypted-disks.md)


* [Syncing with Yandex Lockbox secrets](../tutorials/kubernetes-lockbox-secrets.md)

## See also {#see-also}

* [Installing HashiCorp Vault with Key Management Service support](../operations/applications/hashicorp-vault.md)
* [Using HashiCorp Vault to store secrets](../tutorials/marketplace/hashicorp-vault.md)
* [Encrypting secrets in Managed Service for Kubernetes](../tutorials/kms-k8s.md)
* [Installing the External Secrets Operator with Yandex Lockbox support](../operations/applications/external-secrets-operator.md)
* [Syncing with Yandex Lockbox secrets](../tutorials/kubernetes-lockbox-secrets.md)