3.4 Set Up Encryption¶
Encryption in the Formae project is applied at the storage layer (EBS volumes) and is enabled by default across all modules. This section explains how encryption is configured and where to customise it.
Encryption at Rest¶
All EBS volumes are encrypted using the encrypted = true property. This is set in two places:
Root Volumes (in modules/compute.pkl)¶
The root volume is defined inline with each EC2 instance:
blockDeviceMappings {
new instance.BlockDeviceMapping {
deviceName = "/dev/xvda"
ebs = new {
volumeType = "gp3"
volumeSize = vars.rootVolumeSize
deleteOnTermination = true
encrypted = true
}
}
}
encrypted = true— encrypts the OS root volumedeleteOnTermination = true— root volume is destroyed with the instance
Data Volumes (in modules/storage.pkl)¶
Data volumes are created as standalone resources:
new volume.Volume {
label = "talos-worker-\(_idx + 1)"
// ...
encrypted = true
}
Encryption Key¶
When encrypted = true is set without specifying a kmsKeyId, AWS uses the default EBS encryption key (aws/ebs) managed by AWS KMS. This provides:
- AES-256 encryption
- Automatic key rotation managed by AWS
- No additional cost beyond standard EBS pricing
Note
To use a customer-managed KMS key (CMK), you would add a kmsKeyId property to the volume definitions in both compute.pkl and storage.pkl. This is not currently configured in the Formae modules.
Encryption in Transit¶
The following protocols provide encryption in transit by default:
| Protocol | Port | Encryption | Notes |
|---|---|---|---|
| Kubernetes API | 6443 | TLS | Built into kube-apiserver |
| Talos API | 50000 | mTLS | Mutual TLS between talosctl and nodes |
| etcd | 2379-2380 | TLS | Peer and client communication |
| Cilium GENEVE | 6081 | Optional (WireGuard) | Enable in Cilium config for pod-to-pod encryption |
Talos automatically generates and manages the TLS certificates for the Kubernetes API, etcd, and the Talos API. No manual certificate configuration is needed at the infrastructure layer.
Customisation Summary¶
| What to Change | Where | How |
|---|---|---|
| Use a customer-managed KMS key | compute.pkl, storage.pkl |
Add kmsKeyId = "<arn>" to volume definitions |
| Disable encryption (not recommended) | compute.pkl, storage.pkl |
Set encrypted = false |
| Enable Cilium WireGuard encryption | Cilium Helm values | Set encryption.enabled = true in Cilium config |